aboutsummaryrefslogtreecommitdiffstats
path: root/meta-networking/recipes-netkit/netkit-telnet/files
diff options
context:
space:
mode:
Diffstat (limited to 'meta-networking/recipes-netkit/netkit-telnet/files')
-rw-r--r--meta-networking/recipes-netkit/netkit-telnet/files/0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch56
1 files changed, 56 insertions, 0 deletions
diff --git a/meta-networking/recipes-netkit/netkit-telnet/files/0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch b/meta-networking/recipes-netkit/netkit-telnet/files/0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch
new file mode 100644
index 0000000000..8f983e40ab
--- /dev/null
+++ b/meta-networking/recipes-netkit/netkit-telnet/files/0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch
@@ -0,0 +1,56 @@
+From 9c81c8e5bc7782e8ae12c078615abc3c896059f2 Mon Sep 17 00:00:00 2001
+From: Julius Hemanth Pitti <jpitti@cisco.com>
+Date: Tue, 14 Jul 2020 22:34:19 -0700
+Subject: [PATCH] telnetd/utility.c: Fix buffer overflow in netoprintf
+
+As per man page of vsnprintf, when formated
+string size is greater than "size"(2nd argument),
+then vsnprintf returns size of formated string,
+not "size"(2nd argument).
+
+netoprintf() was not handling a case where
+return value of vsnprintf is greater than
+"size"(2nd argument), results in buffer overflow
+while adjusting "nfrontp" pointer to point
+beyond "netobuf" buffer.
+
+Here is one such case where "nfrontp"
+crossed boundaries of "netobuf", and
+pointing to another global variable.
+
+(gdb) p &netobuf[8255]
+$5 = 0x55c93afe8b1f <netobuf+8255> ""
+(gdb) p nfrontp
+$6 = 0x55c93afe8c20 <terminaltype> "\377"
+(gdb) p &terminaltype
+$7 = (char **) 0x55c93afe8c20 <terminaltype>
+(gdb)
+
+This resulted in crash of telnetd service
+with segmentation fault.
+
+Though this is DoS security bug, I couldn't
+find any CVE ID for this.
+
+Upstream-Status: Pending
+
+Signed-off-by: Julius Hemanth Pitti <jpitti@cisco.com>
+---
+ telnetd/utility.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/telnetd/utility.c b/telnetd/utility.c
+index b9a46a6..4811f14 100644
+--- a/telnetd/utility.c
++++ b/telnetd/utility.c
+@@ -66,7 +66,7 @@ netoprintf(const char *fmt, ...)
+ len = vsnprintf(nfrontp, maxsize, fmt, ap);
+ va_end(ap);
+
+- if (len<0 || len==maxsize) {
++ if (len<0 || len>=maxsize) {
+ /* didn't fit */
+ netflush();
+ }
+--
+2.19.1
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-04-24 09:56:43 +0000