Package: ser2net
Version: 2.5-1
Severity: serious
tags: patch
ser2net provides a control port which may be (ab)used to a segfault via
use after free. The write() handler may catch an error free the
controler struct and continue writting. This leads to another error
(invalid fd) and a free & cleanup process on de-allocated data. This is
the segfault.
The patch attached fixes the problem.
Sebastian
Subject: Fix use after free in controller
The controller will use its dynamically allocated data after it got free()
in error path. What we see in syslog is:
| Jun 30 10:26:38 consrv3 ser2net[3073]: read error for controller port:
Connection reset by peer
| Jun 30 10:26:39 consrv3 ser2net[3073]: The tcp write for controller had
error: Bad file descriptor
The first error is "legal" because the destitnation decided to close its
socket a little to early than expected. The second error is allready bad
because it tries to use allready deallocated fd. Later we segfault.
Signed-off-by: Sebastian Andrzej Siewior <bige...@linutronix.de>
Index: ser2net-2.5/controller.c
===================================================================
--- ser2net-2.5.orig/controller.c 2009-06-30 10:50:57.000000000 +0200
+++ ser2net-2.5/controller.c 2009-06-30 10:52:28.000000000 +0200
@@ -557,10 +557,12 @@
/* This again was due to O_NONBLOCK, just ignore it. */
} else if (errno == EPIPE) {
shutdown_controller(cntlr);
+ return;
} else {
/* Some other bad error. */
syslog(LOG_ERR, "The tcp write for controller had error: %m");
shutdown_controller(cntlr);
+ return;
}
} else {
int i, j;
@@ -584,10 +586,12 @@
/* This again was due to O_NONBLOCK, just ignore it. */
} else if (errno == EPIPE) {
shutdown_controller(cntlr);
+ return;
} else {
/* Some other bad error. */
syslog(LOG_ERR, "The tcp write for controller had error: %m");
shutdown_controller(cntlr);
+ return;
}
} else {
cntlr->outbuf_count -= write_count;
