Your message dated Mon, 03 Aug 2009 13:49:00 +0000
with message-id <[email protected]>
and subject line Bug#535159: fixed in ser2net 2.6-1
has caused the Debian Bug report #535159,
regarding ser2net: fix use after in control port handling
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
535159: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=535159
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: ser2net
Version: 2.5-1
Severity: serious
tags: patch
ser2net provides a control port which may be (ab)used to a segfault via
use after free. The write() handler may catch an error free the
controler struct and continue writting. This leads to another error
(invalid fd) and a free & cleanup process on de-allocated data. This is
the segfault.
The patch attached fixes the problem.
Sebastian
Subject: Fix use after free in controller
The controller will use its dynamically allocated data after it got free()
in error path. What we see in syslog is:
| Jun 30 10:26:38 consrv3 ser2net[3073]: read error for controller port:
Connection reset by peer
| Jun 30 10:26:39 consrv3 ser2net[3073]: The tcp write for controller had
error: Bad file descriptor
The first error is "legal" because the destitnation decided to close its
socket a little to early than expected. The second error is allready bad
because it tries to use allready deallocated fd. Later we segfault.
Signed-off-by: Sebastian Andrzej Siewior <[email protected]>
Index: ser2net-2.5/controller.c
===================================================================
--- ser2net-2.5.orig/controller.c 2009-06-30 10:50:57.000000000 +0200
+++ ser2net-2.5/controller.c 2009-06-30 10:52:28.000000000 +0200
@@ -557,10 +557,12 @@
/* This again was due to O_NONBLOCK, just ignore it. */
} else if (errno == EPIPE) {
shutdown_controller(cntlr);
+ return;
} else {
/* Some other bad error. */
syslog(LOG_ERR, "The tcp write for controller had error: %m");
shutdown_controller(cntlr);
+ return;
}
} else {
int i, j;
@@ -584,10 +586,12 @@
/* This again was due to O_NONBLOCK, just ignore it. */
} else if (errno == EPIPE) {
shutdown_controller(cntlr);
+ return;
} else {
/* Some other bad error. */
syslog(LOG_ERR, "The tcp write for controller had error: %m");
shutdown_controller(cntlr);
+ return;
}
} else {
cntlr->outbuf_count -= write_count;
--- End Message ---
--- Begin Message ---
Source: ser2net
Source-Version: 2.6-1
We believe that the bug you reported is fixed in the latest version of
ser2net, which is due to be installed in the Debian FTP archive:
ser2net_2.6-1.diff.gz
to pool/main/s/ser2net/ser2net_2.6-1.diff.gz
ser2net_2.6-1.dsc
to pool/main/s/ser2net/ser2net_2.6-1.dsc
ser2net_2.6-1_i386.deb
to pool/main/s/ser2net/ser2net_2.6-1_i386.deb
ser2net_2.6.orig.tar.gz
to pool/main/s/ser2net/ser2net_2.6.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Marc Haber <[email protected]> (supplier of updated ser2net
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 03 Aug 2009 15:17:26 +0200
Source: ser2net
Binary: ser2net
Architecture: source i386
Version: 2.6-1
Distribution: unstable
Urgency: low
Maintainer: Marc Haber <[email protected]>
Changed-By: Marc Haber <[email protected]>
Description:
ser2net - Allows network connections to serial ports
Closes: 531733 535159
Changes:
ser2net (2.6-1) unstable; urgency=low
.
* New upstream version.
* Fix segfault (control port use after free).
Thanks to Sebastian Andrzej Siewior. Closes: #535159
* add dpatch usage, regenerate debian/control
* Apply patch from Geoff Simmons regarding documentation of the
timeout option, sync with upstream CVS. Closes: #531733
* debian/watch: use sf redirector.
* Standards-Version: 3.8.2 (no changes necessary)
Checksums-Sha1:
91807f0dfe9370f372d2851c526755a1f9b6bb40 959 ser2net_2.6-1.dsc
d651f8be26a2234d036fa3bc00849e6c82f0a869 351285 ser2net_2.6.orig.tar.gz
8973ade85fd57d896cc9c0d526780c3fd577591f 7097 ser2net_2.6-1.diff.gz
df74990f33d52a3043a7104492e59a65cebb39f5 41238 ser2net_2.6-1_i386.deb
Checksums-Sha256:
9e2a7940f7a117b9abd59ef5b30fc2fe2fc5873d1947f1525342279a699445c5 959
ser2net_2.6-1.dsc
4255b8c18b0a1e7f556da83e467571ec49db1090d7d48c30e75811f72da9da51 351285
ser2net_2.6.orig.tar.gz
d2d700a8e6bcff43564e2ccec26027dc1cac32ec765675309fe27752e6912294 7097
ser2net_2.6-1.diff.gz
f8f9e90fa9bdc60ac0fa708fed4cf1672bd05177e0659190428dab7c8846e675 41238
ser2net_2.6-1_i386.deb
Files:
135259ae8a02d436637b1a94381aff20 959 utils optional ser2net_2.6-1.dsc
f53e067380ab31897923db665d044064 351285 utils optional ser2net_2.6.orig.tar.gz
e2357cfc851da1cd5378f36d91c61306 7097 utils optional ser2net_2.6-1.diff.gz
f6175132456d04dfa0a045c7f9bf8ef7 41238 utils optional ser2net_2.6-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkp26PYACgkQgZalRGu6PIRihQCeOvB164Sy4Cegud/nbgEzKDou
iXIAn2IabqlDv3a8wY+MP93OsI4ZxQ2k
=HTuZ
-----END PGP SIGNATURE-----
--- End Message ---
