Description of problem: When client disconnects uncleanly, it might happen that an underlying read() operation returns with an error. This error was interpreted wrongly because the negative return value was assigned to a variable of unsigned type and being checked for <= 0. As this condition does not hold in error case, a packet with wrong len (255) was sent instead of aborting the client: | read(0, 0x7fffa6dcfb12, 8) = -1 EIO (Input/output error) | write(3, "\0\377\0\0\0\0\0\0\0\0", 10) = 10 The server accepts this broken packet and puts random data (stack content) to the program: | read(5, "\0\377\0\0\0\0\0\0\0\0", 10) = 10 | write(4, "\0\0\0\0\0\0\0\0\177~\377~\0\0\31\v|\352\377\177\0\0u\250C\335\347Hu\252\0E"..., 255) = 255 For reference, the 'pkt' is defined as | struct packet | { | unsigned char type; | unsigned char len; | ... | } Version: dtach-0.8-5.fc15.x86_64
Upstream: https://sourceforge.net/tracker/?func=detail&aid=3517812&group_id=36489&atid=417357
setting 'security' keyword because random stack data with potentially private information can be posted to public services (e.g. when running the irssi irc client in dtach).
*** This bug has been marked as a duplicate of bug 835853 ***