Bug 812552

Summary: dtach: Memory portion (random stack data) disclosure to the client by unclean client disconnect [rhel-6.2]
Product: Red Hat Enterprise Linux 6 Reporter: Enrico Scholz <rh-bugzilla>
Component: dtachAssignee: Lon Hohberger <lhh>
Status: CLOSED WONTFIX QA Contact: BaseOS QE - Apps <qe-baseos-apps>
Severity: low Docs Contact:
Priority: low    
Version: 6.2CC: jlieskov, lhh
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 812551 Environment:
Last Closed: 2014-08-18 16:15:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 812551    
Bug Blocks: 835849    

Description Enrico Scholz 2012-04-14 19:18:18 UTC 
+++ This bug was initially created as a clone of Bug #812551 +++

Description of problem:

When client disconnects uncleanly, it might happen that an underlying
read() operation returns with an error.  This error was interpreted
wrongly because the negative return value was assigned to a variable
of unsigned type and being checked for <= 0. As this condition does
not hold in error case, a packet with wrong len (255) was sent instead
of aborting the client:

| read(0, 0x7fffa6dcfb12, 8) = -1 EIO (Input/output error)
| write(3, "\0\377\0\0\0\0\0\0\0\0", 10) = 10


The server accepts this broken packet and puts random data (stack
content) to the program:

| read(5, "\0\377\0\0\0\0\0\0\0\0", 10) = 10
| write(4, "\0\0\0\0\0\0\0\0\177~\377~\0\0\31\v|\352\377\177\0\0u\250C\335\347Hu\252\0E"..., 255) = 255


For reference, the 'pkt' is defined as

| struct packet
| {
| 	unsigned char type;
| 	unsigned char len;
| ...
| }


Version:

dtach-0.8-5.fc15.x86_64

--- Additional comment from enrico.scholz.de on 2012-04-14 15:16:22 EDT ---

Upstream:

https://sourceforge.net/tracker/?func=detail&aid=3517812&group_id=36489&atid=417357
Comment 2 RHEL Program Management 2012-09-07 05:14:11 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.
Comment 4 RHEL Program Management 2013-10-14 00:42:43 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.
Comment 7 RHEL Program Management 2014-08-18 16:15:49 UTC 
Development Management has reviewed and declined this request.
You may appeal this decision by reopening this request.