Package: telnet
Version: 0.17-36
Severity: normal
Tags: patch
Assertion in ring.cc is too tigh causing abort() to be called on ring buffer
overflow.
A way to reproduce the bug:
$ nc -l -p 4444 | sleep 100000 &
$ telnet 127.0.0.1 4444 </dev/zero
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
telnet: buffer overflow, losing data, sorry
telnet: ring.cc:143: int ringbuf::flush(): Assertion `top-bot > 0 && top-bot <=
count' failed.
zsh: abort (core dumped) telnet 127.0.0.1 4444 < /dev/zero
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.1.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=pl_PL.utf8, LC_CTYPE=pl_PL.utf8 (charmap=UTF-8) (ignored: LC_ALL
set to pl_PL.utf8)
Shell: /bin/sh linked to /bin/dash
Versions of packages telnet depends on:
ii libc6 2.13-26
ii libgcc1 1:4.6.2-12
ii libncurses5 5.9-4
ii libstdc++6 4.6.2-12
ii netbase 4.47
telnet recommends no packages.
telnet suggests no packages.
-- no debconf information
--- netkit-telnet-0.17/telnet/ring.cc 2012-02-10 22:50:42.000000000 +0100
+++ ring.cc 2012-02-10 22:49:54.000000000 +0100
@@ -138,11 +138,11 @@
while (count > 0) {
int bot = tail;
int top = head;
if (top < bot) top = size;
if (marked > bot) top = marked;
- assert(top-bot > 0 && top-bot <= count);
+ assert(top-bot >= 0 && top-bot <= count);
int n;
if (marked==bot) n = binding->writeurg(buf+bot, top-bot);
else n = binding->write(buf+bot, top-bot);
if (n < 0) { busy=0; return -2; }
