Bug 211225 - [PATCH]: CRASH: telnetd crashes periodically
Summary: [PATCH]: CRASH: telnetd crashes periodically
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 10.3-STABLE
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-bugs mailing list
URL:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2016-07-19 12:30 UTC by Joe Marcus Clarke
Modified: 2016-07-19 12:30 UTC (History)
0 users

See Also:


Attachments
Patch to fix telnetd crash (748 bytes, patch)
2016-07-19 12:30 UTC, Joe Marcus Clarke
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Joe Marcus Clarke freebsd_committer 2016-07-19 12:30:52 UTC
Created attachment 172719 [details]
Patch to fix telnetd crash

Yes, I still have telnetd running (though I don't use it).  Periodically, it crashes.  I've tracked this down to a NULL pointer defref.  Attached is a patch that fixes the crash.

The backtrace I see is:

#0  0x0000000000405657 in telrcv () at /usr/src/libexec/telnetd/../../contrib/telnet/telnetd/state.c:231
231						ch = *slctab[SLC_EL].sptr;
(gdb) bt
#0  0x0000000000405657 in telrcv () at /usr/src/libexec/telnetd/../../contrib/telnet/telnetd/state.c:231
#1  0x000000000040a149 in ttloop () at /usr/src/libexec/telnetd/../../contrib/telnet/telnetd/utility.c:88
#2  0x0000000000407055 in doit (who=0x7fffffffeb90)
    at /usr/src/libexec/telnetd/../../contrib/telnet/telnetd/telnetd.c:510
#3  0x0000000000407aa8 in main (argc=<value optimized out>, argv=0x7fffffffec98)
    at /usr/src/libexec/telnetd/../../contrib/telnet/telnetd/telnetd.c:413
(gdb) print slctab
$1 = {{defset = {flag = 0 '\0', val = 0 '\0'}, current = {flag = 0 '\0', val = 0 '\0'}, 
    sptr = 0x0} <repeats 31 times>}
(gdb) print *slctab
$2 = {defset = {flag = 0 '\0', val = 0 '\0'}, current = {flag = 0 '\0', val = 0 '\0'}, sptr = 0x0}
(gdb) print *slctab[SLC_EL]
No symbol "SLC_EL" in current context.
(gdb) print *slctab[11]    
Structure has no component named operator*.
(gdb) print slctab[11]
$3 = {defset = {flag = 0 '\0', val = 0 '\0'}, current = {flag = 0 '\0', val = 0 '\0'}, sptr = 0x0}
(gdb) print *slctab[11]
Structure has no component named operator*.
(gdb) print *slctab[11].sptr
Cannot access memory at address 0x0