|
Description
|
While investigating Sun Ray bug 6631481, in which Xsun hung in
dtlogin_receive_packet(), several issues were discovered in this code which should
be fixed in this code (which is shared between Xsun & Xorg):
1) Once the WakeupHandler detects the pipe is readable, dtlogin_receive_packet runs
its loop until the "EOF=" is read. If for some reason, that never arrives
(as in the case in 6631481), Xsun hangs forever in this function.
2) When adding the dtloginSocket to the select mask, the code does not ensure that
cur_max_socks is set high enough to include it, which may cause the socket not
to be checked by select (if select thus leaves the bit set, it could cause the
Xserver to read prematurely and then hit #1 above).
3) When allocating the buffer for the read, dtlogin_receive_packet calls xalloc,
which does not initialize the memory, and then reads it immediately, looking
for the ";" separator. Fortunately, we seem to hit a 0 byte quickly most of
the time, falling down into the read code, but if the allocated buffer happened
to be filled with garbage without a zero-byte we could go past the end of the
buffer and possibly segfault when hitting the end of the heap.
4) When checking to see if the buffer needs to be reallocated to be larger, the
size to reallocate to is calculated differently in the realloc() call than in
the variable in which the new size is stored, causing incorrect checks after
resizing. Fortunately, dtlogin should never write so much data over this pipe
that we need to reallocate this buffer.
|