Bug 812551 - [PATCH] Bad behavior on disconnect
Summary: [PATCH] Bad behavior on disconnect
Keywords:
Status: CLOSED DUPLICATE of bug 835853
Alias: None
Product: Fedora
Classification: Fedora
Component: dtach
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
Assignee: Lon Hohberger
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 812552 CVE-2012-3368
TreeView+ depends on / blocked
 
Reported: 2012-04-14 19:14 UTC by Enrico Scholz
Modified: 2012-06-27 10:03 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 812552 (view as bug list)
Environment:
Last Closed: 2012-06-27 10:03:51 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Debian BTS 625302 0 None None None 2012-06-27 00:34:59 UTC

Description Enrico Scholz 2012-04-14 19:14:00 UTC
Description of problem:

When client disconnects uncleanly, it might happen that an underlying
read() operation returns with an error.  This error was interpreted
wrongly because the negative return value was assigned to a variable
of unsigned type and being checked for <= 0. As this condition does
not hold in error case, a packet with wrong len (255) was sent instead
of aborting the client:

| read(0, 0x7fffa6dcfb12, 8) = -1 EIO (Input/output error)
| write(3, "\0\377\0\0\0\0\0\0\0\0", 10) = 10


The server accepts this broken packet and puts random data (stack
content) to the program:

| read(5, "\0\377\0\0\0\0\0\0\0\0", 10) = 10
| write(4, "\0\0\0\0\0\0\0\0\177~\377~\0\0\31\v|\352\377\177\0\0u\250C\335\347Hu\252\0E"..., 255) = 255


For reference, the 'pkt' is defined as

| struct packet
| {
| 	unsigned char type;
| 	unsigned char len;
| ...
| }


Version:

dtach-0.8-5.fc15.x86_64

Comment 2 Enrico Scholz 2012-06-27 00:30:07 UTC
setting 'security' keyword because random stack data with potentially private information can be posted to public services (e.g. when running the irssi irc client in dtach).

Comment 3 Jan Lieskovsky 2012-06-27 10:03:51 UTC

*** This bug has been marked as a duplicate of bug 835853 ***


Note You need to log in before you can comment on or make changes to this bug.