Bug 812551 - [PATCH] Bad behavior on disconnect
[PATCH] Bad behavior on disconnect
Status: CLOSED DUPLICATE of bug 835853
Product: Fedora
Classification: Fedora
Component: dtach (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity urgent
: ---
: ---
Assigned To: Lon Hohberger
Fedora Extras Quality Assurance
: Security
Depends On:
Blocks: CVE-2012-3368 812552
  Show dependency treegraph
 
Reported: 2012-04-14 15:14 EDT by Enrico Scholz
Modified: 2012-06-27 06:03 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 812552 (view as bug list)
Environment:
Last Closed: 2012-06-27 06:03:51 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Debian BTS 625302 None None None 2012-06-26 20:34:59 EDT

  None (edit)
Description Enrico Scholz 2012-04-14 15:14:00 EDT
Description of problem:

When client disconnects uncleanly, it might happen that an underlying
read() operation returns with an error.  This error was interpreted
wrongly because the negative return value was assigned to a variable
of unsigned type and being checked for <= 0. As this condition does
not hold in error case, a packet with wrong len (255) was sent instead
of aborting the client:

| read(0, 0x7fffa6dcfb12, 8) = -1 EIO (Input/output error)
| write(3, "\0\377\0\0\0\0\0\0\0\0", 10) = 10


The server accepts this broken packet and puts random data (stack
content) to the program:

| read(5, "\0\377\0\0\0\0\0\0\0\0", 10) = 10
| write(4, "\0\0\0\0\0\0\0\0\177~\377~\0\0\31\v|\352\377\177\0\0u\250C\335\347Hu\252\0E"..., 255) = 255


For reference, the 'pkt' is defined as

| struct packet
| {
| 	unsigned char type;
| 	unsigned char len;
| ...
| }


Version:

dtach-0.8-5.fc15.x86_64
Comment 2 Enrico Scholz 2012-06-26 20:30:07 EDT
setting 'security' keyword because random stack data with potentially private information can be posted to public services (e.g. when running the irssi irc client in dtach).
Comment 3 Jan Lieskovsky 2012-06-27 06:03:51 EDT

*** This bug has been marked as a duplicate of bug 835853 ***

Note You need to log in before you can comment on or make changes to this bug.