Hangs in Netatalk which causes it to stop responding to connections. The master afpd process gets stuck in a poll loop, being repeatedly notified that there are connections on its socket, but never actually doesn anything with them.
Analysis with gdb revealed that the dat astructure dealing with the main AFP socket and the IPC client sockets was smashed. This could happen because the function fdset_add_fd() doesn't do bound checking itself but relied on other parts of the code that enforce a connection limit.
Unfortunately, for low-level AFP connections that don't result in a full AFP login these checks come too late resulting in a buffer overflow.
Add a bound check. While we're at it, rewrite the fdset code to use a full blown data structure encapsultating the implementation details.
Log in to post a comment.