Re: Signal 11 dumps in telnetd (freebsd 10.3 release)

Mon, 25 Apr 2016 15:17:15 -0700 

See if the attached patch helps.
It applies cleanly to ports/security/krb5-appl, but may need adjustment for the base system telnetd. 

 - Tim

On Sun, 24 Apr 2016, Rustam wrote:


I got a couple of dozen dumps in /usr/libexec/telnetd (signal 11), and I'm
wondering what those could be.

FreeBSD 10.3-RELEASE, built from source.

Dump stack trace:
 telrcv+333
 ttloop+7C
 doit+1687
 main+64D

Dump is at address 0x0000000000404713:

.text:0004046E2 loc_4046E2:
.text:0004046E2         test    byte ptr cs:diagnostic, 10h ; jumptable
0004046DB cases 11,12
.text:0004046E9         jz      short loc_4046F7
.text:0004046EB         mov     edi, offset fmt ; "td: recv IAC"
.text:0004046F0         mov     esi, ebx        ; option
.text:0004046F2         call    printoption
.text:0004046F7 loc_4046F7:
.text:0004046F7         call    ptyflush
.text:0004046FC         call    init_termbuf
.text:000404701         cmp     ebx, 0F7h
.text:000404707         mov     eax, 6199D8h
.text:00040470C         cmovz   rax, r14
.text:000404710         mov     rax, [rax]
.text:000404713         mov     al, [rax]      ; <========== Signal 11 HERE
.text:000404715         cmp     al, 0FFh
.text:000404717         jz      loc_40495A      ; jumptable 0004046DB
default case
.text:00040471D         mov     rcx, cs:pfrontp
.text:000404724         lea     rdx, [rcx+1]
.text:000404728         mov     cs:pfrontp, rdx
.text:00040472F         mov     [rcx], al
.text:000404731         mov     cs:telrcv_state, 0
.text:00040473B         jmp     loc_4049A0


Regards,

Rustam
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[email protected]"

--- telnet/telnetd/state.c.orig 2016-02-19 14:44:57.000000000 -0600
+++ telnet/telnetd/state.c      2016-02-19 14:47:44.000000000 -0600
@@ -227,16 +227,18 @@
                        case EC:
                        case EL:
                            {
-                               cc_t ch;
+                               cc_t ch = (cc_t)(_POSIX_VDISABLE);
 
                                DIAG(TD_OPTIONS,
                                        printoption("td: recv IAC", c));
                                ptyflush();     /* half-hearted */
                                init_termbuf();
                                if (c == EC)
-                                       ch = *slctab[SLC_EC].sptr;
+                                       if (slctab[SLC_EC].sptr)
+                                         ch = *slctab[SLC_EC].sptr;
                                else
-                                       ch = *slctab[SLC_EL].sptr;
+                                       if (slctab[SLC_EL].sptr)
+                                         ch = *slctab[SLC_EL].sptr;
                                if (ch != (cc_t)(_POSIX_VDISABLE))
                                        *pfrontp++ = (unsigned char)ch;
                                break;

_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[email protected]"





















					Reply via email to