diff options
| author |   Armin Kuster <akuster808@gmail.com> | 2023-11-15 08:26:09 -0500 |
|---|---|---|
| committer |   Khem Raj <raj.khem@gmail.com> | 2023-11-15 09:51:45 -0800 |
| commit | 4c1e6d32ba6e9a14937a83f0d9375ef4d0b28057 (patch) | |
| tree | 17fdf66e3039dd2b0c2c54ee61f6da105aced1af /meta-networking/recipes-netkit/netkit-telnet/files/0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch | |
| parent | 237ce297fa021bd6798ee3ecdc31f716442e4d37 (diff) | |
| download | meta-openembedded-4c1e6d32ba6e9a14937a83f0d9375ef4d0b28057.tar.gz | |
netkit: Drop old and no upstream
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Diffstat (limited to 'meta-networking/recipes-netkit/netkit-telnet/files/0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch')
| -rw-r--r-- | meta-networking/recipes-netkit/netkit-telnet/files/0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch | 56 |
1 files changed, 0 insertions, 56 deletions
diff --git a/meta-networking/recipes-netkit/netkit-telnet/files/0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch b/meta-networking/recipes-netkit/netkit-telnet/files/0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch deleted file mode 100644 index 8f983e40ab..0000000000 --- a/meta-networking/recipes-netkit/netkit-telnet/files/0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 9c81c8e5bc7782e8ae12c078615abc3c896059f2 Mon Sep 17 00:00:00 2001 -From: Julius Hemanth Pitti <jpitti@cisco.com> -Date: Tue, 14 Jul 2020 22:34:19 -0700 -Subject: [PATCH] telnetd/utility.c: Fix buffer overflow in netoprintf - -As per man page of vsnprintf, when formated -string size is greater than "size"(2nd argument), -then vsnprintf returns size of formated string, -not "size"(2nd argument). - -netoprintf() was not handling a case where -return value of vsnprintf is greater than -"size"(2nd argument), results in buffer overflow -while adjusting "nfrontp" pointer to point -beyond "netobuf" buffer. - -Here is one such case where "nfrontp" -crossed boundaries of "netobuf", and -pointing to another global variable. - -(gdb) p &netobuf[8255] -$5 = 0x55c93afe8b1f <netobuf+8255> "" -(gdb) p nfrontp -$6 = 0x55c93afe8c20 <terminaltype> "\377" -(gdb) p &terminaltype -$7 = (char **) 0x55c93afe8c20 <terminaltype> -(gdb) - -This resulted in crash of telnetd service -with segmentation fault. - -Though this is DoS security bug, I couldn't -find any CVE ID for this. - -Upstream-Status: Pending - -Signed-off-by: Julius Hemanth Pitti <jpitti@cisco.com> ---- - telnetd/utility.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/telnetd/utility.c b/telnetd/utility.c -index b9a46a6..4811f14 100644 ---- a/telnetd/utility.c -+++ b/telnetd/utility.c -@@ -66,7 +66,7 @@ netoprintf(const char *fmt, ...) - len = vsnprintf(nfrontp, maxsize, fmt, ap); - va_end(ap); - -- if (len<0 || len==maxsize) { -+ if (len<0 || len>=maxsize) { - /* didn't fit */ - netflush(); - } --- -2.19.1 |