mirror of
https://github.com/rapid7/metasploit-payloads
synced 2025-01-02 11:36:22 +01:00
On socket flush, stop reading on error
We are currently inconsistently handling errors in recv() when flushing data from a TCP socket. In one case, we handle the graceful close, but not the error case. In the other, we handle exactly the opposite. Both of these loops may spin indefinitely depending on the recv value from the remote server. In one, if the TCP connection is abruptly closed in stageless meterpreter or on a transport switch, the flush function may loop. In the other, if the remote server does a socket shutdown, but not a close, we will also loop.
This commit is contained in:
Brent Cook
parent
2c86c26ff2
commit
28425e7a99
@ -357,7 +357,7 @@ static VOID server_socket_flush(Transport* transport)
|
||||
dprintf("[SERVER] Flushed %d bytes from the buffer", ret);
|
||||
|
||||
// The socket closed while we waited
|
||||
if (ret == 0) {
|
||||
if (ret <= 0) {
|
||||
break;
|
||||
}
|
||||
continue;
|
||||
@ -889,7 +889,7 @@ DWORD THREADCALL cleanup_socket(THREAD* thread) {
|
||||
dprintf("[TCP] waiting for disconnect from remote");
|
||||
// loop until FD_CLOSE comes through.
|
||||
while ((result = recv(fd, buf, sizeof(buf), 0)) != 0) {
|
||||
if (result < 0) {
|
||||
if (result <= 0) {
|
||||
dprintf("[TCP] something went wrong on read.");
|
||||
break;
|
||||
}
|
||||
|
||||
@ -374,7 +374,7 @@ static VOID server_socket_flush(Transport* transport)
|
||||
dprintf("[SERVER] Flushed %d bytes from the buffer", ret);
|
||||
|
||||
// The socket closed while we waited
|
||||
if (ret == 0)
|
||||
if (ret <= 0)
|
||||
{
|
||||
break;
|
||||
}
|
||||
@ -846,7 +846,7 @@ DWORD THREADCALL cleanup_socket(THREAD* thread)
|
||||
// loop until FD_CLOSE comes through.
|
||||
while ((result = recv(fd, buf, sizeof(buf), 0)) != 0)
|
||||
{
|
||||
if (result < 0)
|
||||
if (result <= 0)
|
||||
{
|
||||
dprintf("[TCP] something went wrong on read.");
|
||||
break;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user