diff options
Diffstat (limited to 'meta-networking')
2 files changed, 57 insertions, 0 deletions
diff --git a/meta-networking/recipes-netkit/netkit-telnet/files/0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch b/meta-networking/recipes-netkit/netkit-telnet/files/0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch new file mode 100644 index 0000000000..8f983e40ab --- /dev/null +++ b/meta-networking/recipes-netkit/netkit-telnet/files/0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch @@ -0,0 +1,56 @@ +From 9c81c8e5bc7782e8ae12c078615abc3c896059f2 Mon Sep 17 00:00:00 2001 +From: Julius Hemanth Pitti <jpitti@cisco.com> +Date: Tue, 14 Jul 2020 22:34:19 -0700 +Subject: [PATCH] telnetd/utility.c: Fix buffer overflow in netoprintf + +As per man page of vsnprintf, when formated +string size is greater than "size"(2nd argument), +then vsnprintf returns size of formated string, +not "size"(2nd argument). + +netoprintf() was not handling a case where +return value of vsnprintf is greater than +"size"(2nd argument), results in buffer overflow +while adjusting "nfrontp" pointer to point +beyond "netobuf" buffer. + +Here is one such case where "nfrontp" +crossed boundaries of "netobuf", and +pointing to another global variable. + +(gdb) p &netobuf[8255] +$5 = 0x55c93afe8b1f <netobuf+8255> "" +(gdb) p nfrontp +$6 = 0x55c93afe8c20 <terminaltype> "\377" +(gdb) p &terminaltype +$7 = (char **) 0x55c93afe8c20 <terminaltype> +(gdb) + +This resulted in crash of telnetd service +with segmentation fault. + +Though this is DoS security bug, I couldn't +find any CVE ID for this. + +Upstream-Status: Pending + +Signed-off-by: Julius Hemanth Pitti <jpitti@cisco.com> +--- + telnetd/utility.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/telnetd/utility.c b/telnetd/utility.c +index b9a46a6..4811f14 100644 +--- a/telnetd/utility.c ++++ b/telnetd/utility.c +@@ -66,7 +66,7 @@ netoprintf(const char *fmt, ...) + len = vsnprintf(nfrontp, maxsize, fmt, ap); + va_end(ap); + +- if (len<0 || len==maxsize) { ++ if (len<0 || len>=maxsize) { + /* didn't fit */ + netflush(); + } +-- +2.19.1 diff --git a/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb b/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb index 0e92add633..08dd532b62 100644 --- a/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb +++ b/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb @@ -13,6 +13,7 @@ SRC_URI = "http://ftp.linux.org.uk/pub/linux/Networking/netkit/${BP}.tar.gz \ file://0001-telnet-telnetd-Fix-print-format-strings.patch \ file://0001-telnet-telnetd-Fix-deadlock-on-cleanup.patch \ file://CVE-2020-10188.patch \ + file://0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch \ " UPSTREAM_CHECK_URI = "${DEBIAN_MIRROR}/main/n/netkit-telnet/" |