Date: Sun, 17 Feb 2002 22:05:26 -0800 (PST) From: Matthew Dillon <dillon@apollo.backplane.com> To: Neelkanth Natu <neelnatu@yahoo.com> Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: bug in ptcwrite() Message-ID: <200202180605.g1I65Q311382@apollo.backplane.com> References: <20020217215240.6584.qmail@web14205.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hey, great find! I see two places in that file where ICANON is improperly tested against t_iflag instead of t_lflag. Have you done any further testing using the t_lflag field instead of t_iflag? Did it fix the crash you were getting? -Matt :Hi, : :The following code in ptcwrite() in kern/tty_pty.c is supposed to prevent :the tty input buffer overflow (for certain cases): : : 612 if ((tp->t_rawq.c_cc + tp->t_canq.c_cc) >= TTYHOG - 2 && : 613 (tp->t_canq.c_cc > 0 || !(tp->t_iflag&ICANON))) { : 614 wakeup(TSA_HUP_OR_INPUT(tp)); : 615 goto block; : 616 } : :But the ICANON flag is set in tp->t_lflag and not tp->t_iflag. The ICRNL flag :in tp->t_iflag has the same value as the ICANON flag in tp->t_lflag (0x100). :This leads to input buffer overflow as soon as the ICRNL bit is set in :tp->t_iflag, and there are more than 1024 characters that telnet/ssh wants :to write to the pty. : :I discovered this problem when using libreadline because it changes the :terminal settings every time it is begins/finishes reading a line. : :Has anyone else seen a similar problem ? I saw identical behavior on NetBSD :too. Please CC me as I am not on the mailing list. : :thanks :Neel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200202180605.g1I65Q311382>