path: root/src/vty/vty.c
diff options
authorNeels Hofmeyr <neels@hofmeyr.de>2019-08-21 17:40:51 +0200
committerNeels Hofmeyr <neels@hofmeyr.de>2019-08-27 17:49:21 +0200
commitbbe03347fa781ff105433731670c805fcd4e199c (patch)
tree883399bbea526c7d2be342a89f52dbf5a0d58838 /src/vty/vty.c
parent2d90611cb06b780b165296aa3abd1f7229d503f9 (diff)
fix: vty crash by logging to killed telnet sessionneels/vty_dos
When a telnet session dies (e.g. killall telnet) and also has logging enabled, the closing of the telnet session logs to the killed telnet session and segfaults: the vty->obuf is already NULL. In vty_out(), guard against this situation by not composing an output if vty->obuf is NULL. Also guard all buffer_*() functions against a NULL buffer argument, which should catch all other hypothetical code paths trying to add to a closed vty->obuf. Related: OS#4164 Change-Id: Idca3f54dc986abf6784790c12e69e02bdf77cb41
Diffstat (limited to 'src/vty/vty.c')
1 files changed, 7 insertions, 0 deletions
diff --git a/src/vty/vty.c b/src/vty/vty.c
index a96d86ce..33160170 100644
--- a/src/vty/vty.c
+++ b/src/vty/vty.c
@@ -260,6 +260,13 @@ int vty_out_va(struct vty *vty, const char *format, va_list ap)
vprintf(format, ap);
} else {
va_list args;
+ if (!vty->obuf) {
+ /* There is no output buffer. This can happen from logging to a telnet session, during cleanup
+ * of this same (killed) telnet session. See OS#4164. */
+ return 0;
+ }
/* Try to write to initial buffer. */
va_copy(args, ap);
len = vsnprintf(buf, sizeof buf, format, args);