-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix buffer underflow when serial peer spews garbage #10
base: master
Are you sure you want to change the base?
Conversation
901fd2a
to
b50e4e5
Compare
A board I got spews garbage on hard reset. Sometimes that garbage is IAC and it leads to len here getting negative and the loop eventually underflows the buf. Detect and avoid this silently. Signed-off-by: Ahmad Fatoum <[email protected]>
b50e4e5
to
ff923a8
Compare
Without having looked deeply, I suspect this is the same bug as #4 which needs more work. |
I agree it needs more work, but could this be at least merged to avoid the segfaults? |
@a3f I authored a fix for #4 which looks better in my eyes. Would you mind looking at https://github.com/ukleinek/microcom/tree/issue-4 and check if this resolves your problem? |
If microcom crashes, e.g. due to the buffer underflow described in pengutronix#10, it may leave a stale lock file behind. Teach microcom detection of these stale lock files. Note that this is racy, two processes may detect a stale lock file and one might unlink the other's lock. Signed-off-by: Ahmad Fatoum <[email protected]>
If microcom crashes, e.g. due to the buffer underflow described in pengutronix#10, it may leave a stale lock file behind. Teach microcom detection of these stale lock files. Signed-off-by: Ahmad Fatoum <[email protected]>
If microcom crashes, e.g. due to the buffer underflow described in pengutronix#10, it may leave a stale lock file behind. Teach microcom detection of these stale lock files. Signed-off-by: Ahmad Fatoum <[email protected]>
@ukleinek Haven't tested it, but looks good to me. I still think you should take my patch as well, because the underlying issue is still there. A buggy telnet server could still send the exact same sequence of IAC's and overflow the stack. |
What should the malicious server send to trigger the bug? I have the impression that your commit only papers over the problem but doesn't really fix it. There is only a difference if len gets negative in either I fail to see how this could happen for |
@a3f Do you still see a way what a remote telnet server could send to trigger a buffer problem? If not, I'd close this PR. |
A board I got spews garbage on hard reset. Sometimes that garbage is IAC
and it leads to len here getting negative and the loop eventually
underflows the buf.
Detect and avoid this silently.