From owner-freebsd-hackers  Sun Feb 17 23:11:49 2002
Delivered-To: freebsd-hackers@freebsd.org
Received: from web14208.mail.yahoo.com (web14208.mail.yahoo.com [216.136.173.72])
	by hub.freebsd.org (Postfix) with SMTP id 1A36E37B405
	for <freebsd-hackers@FreeBSD.ORG>; Sun, 17 Feb 2002 23:11:47 -0800 (PST)
Message-ID: <20020218071146.60882.qmail@web14208.mail.yahoo.com>
Received: from [12.44.190.11] by web14208.mail.yahoo.com via HTTP; Sun, 17 Feb 2002 23:11:46 PST
Date: Sun, 17 Feb 2002 23:11:46 -0800 (PST)
From: Neelkanth Natu <neelnatu@yahoo.com>
Subject: Re: bug in ptcwrite()
To: Matthew Dillon <dillon@apollo.backplane.com>
Cc: freebsd-hackers@FreeBSD.ORG
In-Reply-To: <200202180605.g1I65Q311382@apollo.backplane.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

Hi,

I changed the NetBSD sources (which have the identical bug) and it 
now it works as it should. i.e. writes to the pseudo terminal block,
don't overflow the real tty. I have not done any testing with FreeBSD.

The bug is easy to reproduce and the fix is correspondingly easy to verify.
I don't mind testing it with FreeBSD too but it'll have to wait for a 
couple of days.

best
Neel

--- Matthew Dillon <dillon@apollo.backplane.com> wrote:
>     Hey, great find!  I see two places in that file where ICANON is
>     improperly tested against t_iflag instead of t_lflag.
> 
>     Have you done any further testing using the t_lflag field instead
>     of t_iflag?  Did it fix the crash you were getting?
> 
> 					-Matt
> 
> :Hi,
> :
> :The following code in ptcwrite() in kern/tty_pty.c is supposed to prevent 
> :the tty input buffer overflow (for certain cases):
> :
> :   612	if ((tp->t_rawq.c_cc + tp->t_canq.c_cc) >= TTYHOG - 2 &&
> :   613	   (tp->t_canq.c_cc > 0 || !(tp->t_iflag&ICANON))) {
> :   614		wakeup(TSA_HUP_OR_INPUT(tp));
> :   615		goto block;
> :   616	}
> :
> :But the ICANON flag is set in tp->t_lflag and not tp->t_iflag. The ICRNL flag
> :in tp->t_iflag has the same value as the ICANON flag in tp->t_lflag (0x100).
> :This leads to input buffer overflow as soon as the ICRNL bit is set in 
> :tp->t_iflag, and there are more than 1024 characters that telnet/ssh wants 
> :to write to the pty.
> :
> :I discovered this problem when using libreadline because it changes the 
> :terminal settings every time it is begins/finishes reading a line.
> :
> :Has anyone else seen a similar problem ? I saw identical behavior on NetBSD
> :too. Please CC me as I am not on the mailing list.
> :
> :thanks
> :Neel


__________________________________________________
Do You Yahoo!?
Yahoo! Sports - Coverage of the 2002 Olympic Games
http://sports.yahoo.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message