Package: telnet Version: 0.17-36 Severity: normal Tags: patch Assertion in ring.cc is too tigh causing abort() to be called on ring buffer overflow.
A way to reproduce the bug: $ nc -l -p 4444 | sleep 100000 & $ telnet 127.0.0.1 4444 </dev/zero Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. telnet: buffer overflow, losing data, sorry telnet: ring.cc:143: int ringbuf::flush(): Assertion `top-bot > 0 && top-bot <= count' failed. zsh: abort (core dumped) telnet 127.0.0.1 4444 < /dev/zero -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.1.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=pl_PL.utf8, LC_CTYPE=pl_PL.utf8 (charmap=UTF-8) (ignored: LC_ALL set to pl_PL.utf8) Shell: /bin/sh linked to /bin/dash Versions of packages telnet depends on: ii libc6 2.13-26 ii libgcc1 1:4.6.2-12 ii libncurses5 5.9-4 ii libstdc++6 4.6.2-12 ii netbase 4.47 telnet recommends no packages. telnet suggests no packages. -- no debconf information
--- netkit-telnet-0.17/telnet/ring.cc 2012-02-10 22:50:42.000000000 +0100 +++ ring.cc 2012-02-10 22:49:54.000000000 +0100 @@ -138,11 +138,11 @@ while (count > 0) { int bot = tail; int top = head; if (top < bot) top = size; if (marked > bot) top = marked; - assert(top-bot > 0 && top-bot <= count); + assert(top-bot >= 0 && top-bot <= count); int n; if (marked==bot) n = binding->writeurg(buf+bot, top-bot); else n = binding->write(buf+bot, top-bot); if (n < 0) { busy=0; return -2; }