Date: Mon, 25 Apr 2016 14:42:35 -0500 From: Tim Zingelman <zingelman@fnal.gov> To: Rustam <rustamabd@gmail.com> Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: Signal 11 dumps in telnetd (freebsd 10.3 release) Message-ID: <Pine.SOL.4.64.1604251437180.16065@nova.fnal.gov> In-Reply-To: <6c6961526afe4f8b947fa11d585befd3@BY2PR09MB0754.namprd09.prod.outlook.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] See if the attached patch helps. It applies cleanly to ports/security/krb5-appl, but may need adjustment for the base system telnetd. - Tim On Sun, 24 Apr 2016, Rustam wrote: > I got a couple of dozen dumps in /usr/libexec/telnetd (signal 11), and I'm > wondering what those could be. > > FreeBSD 10.3-RELEASE, built from source. > > Dump stack trace: > telrcv+333 > ttloop+7C > doit+1687 > main+64D > > Dump is at address 0x0000000000404713: > > .text:0004046E2 loc_4046E2: > .text:0004046E2 test byte ptr cs:diagnostic, 10h ; jumptable > 0004046DB cases 11,12 > .text:0004046E9 jz short loc_4046F7 > .text:0004046EB mov edi, offset fmt ; "td: recv IAC" > .text:0004046F0 mov esi, ebx ; option > .text:0004046F2 call printoption > .text:0004046F7 loc_4046F7: > .text:0004046F7 call ptyflush > .text:0004046FC call init_termbuf > .text:000404701 cmp ebx, 0F7h > .text:000404707 mov eax, 6199D8h > .text:00040470C cmovz rax, r14 > .text:000404710 mov rax, [rax] > .text:000404713 mov al, [rax] ; <========== Signal 11 HERE > .text:000404715 cmp al, 0FFh > .text:000404717 jz loc_40495A ; jumptable 0004046DB > default case > .text:00040471D mov rcx, cs:pfrontp > .text:000404724 lea rdx, [rcx+1] > .text:000404728 mov cs:pfrontp, rdx > .text:00040472F mov [rcx], al > .text:000404731 mov cs:telrcv_state, 0 > .text:00040473B jmp loc_4049A0 > > > Regards, > > Rustam > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > [-- Attachment #2 --] --- telnet/telnetd/state.c.orig 2016-02-19 14:44:57.000000000 -0600 +++ telnet/telnetd/state.c 2016-02-19 14:47:44.000000000 -0600 @@ -227,16 +227,18 @@ case EC: case EL: { - cc_t ch; + cc_t ch = (cc_t)(_POSIX_VDISABLE); DIAG(TD_OPTIONS, printoption("td: recv IAC", c)); ptyflush(); /* half-hearted */ init_termbuf(); if (c == EC) - ch = *slctab[SLC_EC].sptr; + if (slctab[SLC_EC].sptr) + ch = *slctab[SLC_EC].sptr; else - ch = *slctab[SLC_EL].sptr; + if (slctab[SLC_EL].sptr) + ch = *slctab[SLC_EL].sptr; if (ch != (cc_t)(_POSIX_VDISABLE)) *pfrontp++ = (unsigned char)ch; break;home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SOL.4.64.1604251437180.16065>