Red Hat Bugzilla – Bug 812552
dtach: Memory portion (random stack data) disclosure to the client by unclean client disconnect [rhel-6.2]
Last modified: 2014-08-18 12:15:49 EDT
+++ This bug was initially created as a clone of Bug #812551 +++
Description of problem:
When client disconnects uncleanly, it might happen that an underlying
read() operation returns with an error. This error was interpreted
wrongly because the negative return value was assigned to a variable
of unsigned type and being checked for <= 0. As this condition does
not hold in error case, a packet with wrong len (255) was sent instead
of aborting the client:
| read(0, 0x7fffa6dcfb12, 8) = -1 EIO (Input/output error)
| write(3, "\0\377\0\0\0\0\0\0\0\0", 10) = 10
The server accepts this broken packet and puts random data (stack
content) to the program:
| read(5, "\0\377\0\0\0\0\0\0\0\0", 10) = 10
| write(4, "\0\0\0\0\0\0\0\0\177~\377~\0\0\31\v|\352\377\177\0\0u\250C\335\347Hu\252\0E"..., 255) = 255
For reference, the 'pkt' is defined as
| struct packet
| unsigned char type;
| unsigned char len;
--- Additional comment from email@example.com on 2012-04-14 15:16:22 EDT ---
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.
Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.
Development Management has reviewed and declined this request.
You may appeal this decision by reopening this request.