Date: Sun, 17 Feb 2002 22:16:38 -0800 (PST) From: Matthew Dillon <dillon@apollo.backplane.com> To: security@freebsd.org Subject: security bug / kernel tty buffer overflow Message-ID: <200202180616.g1I6Gc511474@apollo.backplane.com>
next in thread | raw e-mail | index | archive | help
Neelkanth Natu posted this message on hackers.
There are two places in kern/tty_pty.c that test ICANON against
tp->t_iflag instead of tp->t_lflag. I have comitted a fix to
-current with a 3-day MFC to -stable. This should probably go
into the security branch at some point.
-Matt
Matthew Dillon
<dillon@backplane.com>
:From: Neelkanth Natu <neelnatu@yahoo.com>
:Subject: bug in ptcwrite()
:To: freebsd-hackers@FreeBSD.ORG
:Date: Sun, 17 Feb 2002 13:52:40 -0800 (PST)
:
:Hi,
:
:The following code in ptcwrite() in kern/tty_pty.c is supposed to prevent
:the tty input buffer overflow (for certain cases):
:
: 612 if ((tp->t_rawq.c_cc + tp->t_canq.c_cc) >= TTYHOG - 2 &&
: 613 (tp->t_canq.c_cc > 0 || !(tp->t_iflag&ICANON))) {
: 614 wakeup(TSA_HUP_OR_INPUT(tp));
: 615 goto block;
: 616 }
:
:But the ICANON flag is set in tp->t_lflag and not tp->t_iflag. The ICRNL flag
:in tp->t_iflag has the same value as the ICANON flag in tp->t_lflag (0x100).
:This leads to input buffer overflow as soon as the ICRNL bit is set in
:tp->t_iflag, and there are more than 1024 characters that telnet/ssh wants
:to write to the pty.
:
:I discovered this problem when using libreadline because it changes the
:terminal settings every time it is begins/finishes reading a line.
:
:Has anyone else seen a similar problem ? I saw identical behavior on NetBSD
:too. Please CC me as I am not on the mailing list.
:
:thanks
:Neel
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200202180616.g1I6Gc511474>