Hide Forgot
+++ This bug was initially created as a clone of Bug #812551 +++ Description of problem: When client disconnects uncleanly, it might happen that an underlying read() operation returns with an error. This error was interpreted wrongly because the negative return value was assigned to a variable of unsigned type and being checked for <= 0. As this condition does not hold in error case, a packet with wrong len (255) was sent instead of aborting the client: | read(0, 0x7fffa6dcfb12, 8) = -1 EIO (Input/output error) | write(3, "\0\377\0\0\0\0\0\0\0\0", 10) = 10 The server accepts this broken packet and puts random data (stack content) to the program: | read(5, "\0\377\0\0\0\0\0\0\0\0", 10) = 10 | write(4, "\0\0\0\0\0\0\0\0\177~\377~\0\0\31\v|\352\377\177\0\0u\250C\335\347Hu\252\0E"..., 255) = 255 For reference, the 'pkt' is defined as | struct packet | { | unsigned char type; | unsigned char len; | ... | } Version: dtach-0.8-5.fc15.x86_64 --- Additional comment from enrico.scholz.de on 2012-04-14 15:16:22 EDT --- Upstream: https://sourceforge.net/tracker/?func=detail&aid=3517812&group_id=36489&atid=417357
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate, in the next release of Red Hat Enterprise Linux.
Development Management has reviewed and declined this request. You may appeal this decision by reopening this request.