From 43183e58430d3700e8d119bb080433c0ad9a44f4 Mon Sep 17 00:00:00 2001 From: Gregory Nutt Date: Mon, 1 Jun 2020 07:24:10 -0600 Subject: [PATCH] drivers/serial/pty.c: Correct returned number of bytes. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported by 권석근 : I found a bug at "pty.c" during ssh server implementation. When I turn on CONFIG_SERIAL_TERMIOS and OPOST|ONLCR on pty device for nsh console's stdin/stdout (ssh shell service), I've got system crash. Bugs at line 687 of pty.c, pty_write() ntotal++; when converting '\n' to '\r\n', pty_write() will return more than requested (+1, for example) length. and this will break caller lib_fflush(), line 150 of lib_libfflush.c. When she get (libfflush()) bytes_nwritten which is greater than nbuffer, nbuffer goes to negative at line 150 and eventually destroys *stream->fs_bufpos at line 163 of lib_libflush.c Removing ntotal++; line 687 of pty.c will fix this bug. BTW, nsh using ptm/pty as a ssh shell service works great with libssh + mbedtls. --- drivers/serial/pty.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/serial/pty.c b/drivers/serial/pty.c index 9876c163a0..7dbea27e9c 100644 --- a/drivers/serial/pty.c +++ b/drivers/serial/pty.c @@ -673,6 +673,10 @@ static ssize_t pty_write(FAR struct file *filep, * How would we ripple the O_NONBLOCK characteristic to the * contained sink pipe? file_vfcntl()? Or FIONSPACE? See the * TODO comment at the top of this file. + * + * NOTE: The newline is not included in total number of bytes + * written. Otherwise, we would return more than the + * requested number of bytes. */ nwritten = file_write(&dev->pd_sink, &cr, 1); @@ -681,10 +685,6 @@ static ssize_t pty_write(FAR struct file *filep, ntotal = nwritten; break; } - - /* Update the count of bytes transferred */ - - ntotal++; } /* Transfer the (possibly translated) character.. This will block