From 9c81c8e5bc7782e8ae12c078615abc3c896059f2 Mon Sep 17 00:00:00 2001
From: Julius Hemanth Pitti <jpitti@cisco.com>
Date: Tue, 14 Jul 2020 22:34:19 -0700
Subject: [PATCH] telnetd/utility.c: Fix buffer overflow in netoprintf

As per man page of vsnprintf, when formated
string size is greater than "size"(2nd argument),
then vsnprintf returns size of formated string,
not "size"(2nd argument).

netoprintf() was not handling a case where
return value of vsnprintf is greater than
"size"(2nd argument), results in buffer overflow
while adjusting "nfrontp" pointer to point
beyond "netobuf" buffer.

Here is one such case where "nfrontp"
crossed boundaries of "netobuf", and
pointing to another global variable.

(gdb) p &netobuf[8255]
$5 = 0x55c93afe8b1f <netobuf+8255> ""
(gdb) p nfrontp
$6 = 0x55c93afe8c20 <terminaltype> "\377"
(gdb) p &terminaltype
$7 = (char **) 0x55c93afe8c20 <terminaltype>
(gdb)

This resulted in crash of telnetd service
with segmentation fault.

Though this is DoS security bug, I couldn't
find any CVE ID for this.

Upstream-Status: Pending

Signed-off-by: Julius Hemanth Pitti <jpitti@cisco.com>
---
 telnetd/utility.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/telnetd/utility.c b/telnetd/utility.c
index b9a46a6..4811f14 100644
--- a/telnetd/utility.c
+++ b/telnetd/utility.c
@@ -66,7 +66,7 @@ netoprintf(const char *fmt, ...)
       len = vsnprintf(nfrontp, maxsize, fmt, ap);
       va_end(ap);
 
-      if (len<0 || len==maxsize) {
+      if (len<0 || len>=maxsize) {
 	 /* didn't fit */
 	 netflush();
       }
--
2.19.1