Your message dated Wed, 29 Sep 2010 19:59:28 +0000
with message-id <e1p12ok-0001ad...@franck.debian.org>
and subject line Bug#535159: fixed in ser2net 2.5-1+lenny1
has caused the Debian Bug report #535159,
regarding ser2net: fix use after in control port handling
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
535159: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=535159
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: ser2net
Version: 2.5-1
Severity: serious
tags: patch
ser2net provides a control port which may be (ab)used to a segfault via
use after free. The write() handler may catch an error free the
controler struct and continue writting. This leads to another error
(invalid fd) and a free & cleanup process on de-allocated data. This is
the segfault.
The patch attached fixes the problem.
Sebastian
Subject: Fix use after free in controller
The controller will use its dynamically allocated data after it got free()
in error path. What we see in syslog is:
| Jun 30 10:26:38 consrv3 ser2net[3073]: read error for controller port:
Connection reset by peer
| Jun 30 10:26:39 consrv3 ser2net[3073]: The tcp write for controller had
error: Bad file descriptor
The first error is "legal" because the destitnation decided to close its
socket a little to early than expected. The second error is allready bad
because it tries to use allready deallocated fd. Later we segfault.
Signed-off-by: Sebastian Andrzej Siewior <bige...@linutronix.de>
Index: ser2net-2.5/controller.c
===================================================================
--- ser2net-2.5.orig/controller.c 2009-06-30 10:50:57.000000000 +0200
+++ ser2net-2.5/controller.c 2009-06-30 10:52:28.000000000 +0200
@@ -557,10 +557,12 @@
/* This again was due to O_NONBLOCK, just ignore it. */
} else if (errno == EPIPE) {
shutdown_controller(cntlr);
+ return;
} else {
/* Some other bad error. */
syslog(LOG_ERR, "The tcp write for controller had error: %m");
shutdown_controller(cntlr);
+ return;
}
} else {
int i, j;
@@ -584,10 +586,12 @@
/* This again was due to O_NONBLOCK, just ignore it. */
} else if (errno == EPIPE) {
shutdown_controller(cntlr);
+ return;
} else {
/* Some other bad error. */
syslog(LOG_ERR, "The tcp write for controller had error: %m");
shutdown_controller(cntlr);
+ return;
}
} else {
cntlr->outbuf_count -= write_count;
--- End Message ---
--- Begin Message ---
Source: ser2net
Source-Version: 2.5-1+lenny1
We believe that the bug you reported is fixed in the latest version of
ser2net, which is due to be installed in the Debian FTP archive:
ser2net_2.5-1+lenny1.diff.gz
to main/s/ser2net/ser2net_2.5-1+lenny1.diff.gz
ser2net_2.5-1+lenny1.dsc
to main/s/ser2net/ser2net_2.5-1+lenny1.dsc
ser2net_2.5-1+lenny1_i386.deb
to main/s/ser2net/ser2net_2.5-1+lenny1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 535...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Marc Haber <mh+debian-packa...@zugschlus.de> (supplier of updated ser2net
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 28 Sep 2010 19:58:37 +0000
Source: ser2net
Binary: ser2net
Architecture: source i386
Version: 2.5-1+lenny1
Distribution: stable
Urgency: low
Maintainer: Marc Haber <mh+debian-packa...@zugschlus.de>
Changed-By: Marc Haber <mh+debian-packa...@zugschlus.de>
Description:
ser2net - Serial port to network proxy
Closes: 535159
Changes:
ser2net (2.5-1+lenny1) stable; urgency=low
.
* add patch from Sebastian Andrzej Siewior. Closes: #535159
Checksums-Sha1:
6f42fca4638f0d2cd26dd0ddbf671ad64320ee26 1055 ser2net_2.5-1+lenny1.dsc
e9d48446dca77d4e0066850adce3ec69880cf2c7 6735 ser2net_2.5-1+lenny1.diff.gz
3b6e6cba37878c0e5a211f128734e32a5f5f62de 40112 ser2net_2.5-1+lenny1_i386.deb
Checksums-Sha256:
f58a31ef4076231a64845161f07f9107b4a653f1762b90a3274eb7501cba2380 1055
ser2net_2.5-1+lenny1.dsc
ace592e8db6b5af5249155ac49b5bc769b21cbc23a95b2c15aff4243a7f34cb0 6735
ser2net_2.5-1+lenny1.diff.gz
642c16169eb9a2741cf0b20ad39ea4bd21ec10aa9d35332ca9518dfa678c4bfe 40112
ser2net_2.5-1+lenny1_i386.deb
Files:
f6e0a87df1e94c8daf0b2521ca531b81 1055 utils optional ser2net_2.5-1+lenny1.dsc
13b48a946301c4581498146736b08591 6735 utils optional
ser2net_2.5-1+lenny1.diff.gz
df747ef427c3acb71c5baec5064a0253 40112 utils optional
ser2net_2.5-1+lenny1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkyi7kkACgkQgZalRGu6PISgigCgmZ68+kcd3/9DeLQgEmgCOLzv
paoAn0XERqIVEeRg/CMQWZ9M+QmLYx4z
=12SJ
-----END PGP SIGNATURE-----
--- End Message ---
