netkit-telnetd: Fix buffer overflow in netoprintf - meta-openembedded

diff options

author	Julius Hemanth Pitti <jpitti@cisco.com>	2020-07-20 15:19:46 -0700
committer	Armin Kuster <akuster808@gmail.com>	2020-07-29 22:44:52 -0700
commit	b4be735fdb1bbc97e147739c217ad5b62e74fa61 (patch)
tree	377c34d50718c923ca6ea325da0459d1ddd2e4cb /meta-networking/recipes-irc/znc
parent	fd0d398fe70f8ea109f7a9efa5b13bfff1a70bd0 (diff)
download	meta-openembedded-b4be735fdb1bbc97e147739c217ad5b62e74fa61.tar.gz

netkit-telnetd: Fix buffer overflow in netoprintf

netoprintf() was not handling a case where return value of vsnprintf is greater than "size"(2nd argument), results in buffer overflow while adjusting "nfrontp" pointer to point beyond "netobuf" buffer. Here is one such case where "nfrontp" crossed boundaries of "netobuf", and pointing to another global variable. (gdb) p &netobuf[8255] $5 = 0x55c93afe8b1f <netobuf+8255> "" (gdb) p nfrontp $6 = 0x55c93afe8c20 <terminaltype> "\377" (gdb) p &terminaltype $7 = (char **) 0x55c93afe8c20 <terminaltype> (gdb) This resulted in crash of telnetd service with segmentation fault. Signed-off-by: Julius Hemanth Pitti <jpitti@cisco.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 232b82afd405c526f822294509e1d32388544ed4) [appears to be CVE-2020-10188] Signed-off-by: Armin Kuster <akuster808@gmail.com>

Diffstat (limited to 'meta-networking/recipes-irc/znc')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: