On Thu, 12 Nov 2020 09:33:42 +0530 parameswaran krishnamurthy
<parkr...@gmail.com> wrote:
> The same crash is observed in the following package too.
>
> package: telnetd-ssl
> version: 0.17.41+0.2-3.2+b1
>
this is an infinite recursion during exit. a patch is attached.
Description: Infinite recursion on cleanup.
This is haappening from the handling from "Abort Output"
command. This causes flushing of "netfile", which in turn
calls fflush. In this case, the netwritebuf() also fails
to write the iovec. That in turns calls cleanup(0). This
leads to another call to fflush() from the atexit handler,
causing a recursion that never ends as writev() in netwrtebuf()
keeps on failing.
Fix by chekcing the return from netwritebuf and return error
to the caller.
Author: Nachiketa Prachanda <nprac...@vyatta.att-mail.com>
Comment: Fix infinite recursion on cleanup
Forwarded: no
Last Update: 2020-11-16
--- a/telnetd/utility.c
+++ b/telnetd/utility.c
@@ -236,7 +236,7 @@
doclear--;
} /* end of netclear */
-static void
+static int
netwritebuf(void)
{
struct iovec *vector;
@@ -247,11 +247,11 @@
int ltrailing = trailing;
if (!listlen)
- return;
+ return 0;
vector = malloc(listlen * sizeof(struct iovec));
if (!vector) {
- return;
+ return -1;
}
len = listlen - (doclear & ltrailing);
@@ -284,9 +284,11 @@
free(vector);
if (n < 0) {
- if (errno != EWOULDBLOCK && errno != EINTR)
- cleanup(0);
- return;
+ if (errno != EWOULDBLOCK && errno != EINTR) {
+ syslog(LOG_INFO, "telnetd:%s:%d:errno=%d\n", __func__, __LINE__, errno);
+ return -1;
+ }
+ return 0;
}
len = n + skip;
@@ -312,6 +314,7 @@
}
skip = len;
+ return 0;
}
/*
@@ -1247,7 +1250,8 @@
ret += l;
}
- netwritebuf();
+ if (netwritebuf() < 0)
+ return -1;
return ret;
}
