PCjr Telnet Server Test

Michael B. Brutman mbbrutman-cctalk at brutman.com
Sat Sep 13 15:49:56 CDT 2008


Sorry for the spam, but I'm back running again.  The address is still 
the same: 97.86.233.68 .  It will be up and running until I get sick of 
it, so please keep checking back and trying to break it.


Here is what I think happened on this first crash:

- New incoming connection send a SYN packet
- PCjr sends SYN & ACK response
- No response so SYN & ACK gets retransmited
- Other side resends their SYN packet
- PCjr incorrectly responds with an ACK to let the other side know what 
the correct sequence number is supposed to be.  (The connection is not 
established yet.)

The storage used to send the ACK packet is on the stack, and there is a 
BIG comment saying 'make sure this never gets queued anywhere, or you 
will have a dangling pointer into the stack'.  I don't think it was 
queued anywhere (that path is good), but I did corrupt the stack because 
my code saw a socket in SYN_RECVD sending a new outgoing packet, and it 
went and politely filled in the TCP options in that packet.  Which had 
no space to hold them, and thus corrupted the stack ..

That's what I think at least.  I put a little debug code to catch it if 
it happens again, and I'll try to simulate the same thing happening 
later on.

It took about 72 connections and 40000 packets in and out to break it. 
Time to start again. :-(


Thanks,
Mike




More information about the cctalk mailing list