| From 9c81c8e5bc7782e8ae12c078615abc3c896059f2 Mon Sep 17 00:00:00 2001 |
| From: Julius Hemanth Pitti <jpitti@cisco.com> |
| Date: Tue, 14 Jul 2020 22:34:19 -0700 |
| Subject: [PATCH] telnetd/utility.c: Fix buffer overflow in netoprintf |
| |
| As per man page of vsnprintf, when formated |
| string size is greater than "size"(2nd argument), |
| then vsnprintf returns size of formated string, |
| not "size"(2nd argument). |
| |
| netoprintf() was not handling a case where |
| return value of vsnprintf is greater than |
| "size"(2nd argument), results in buffer overflow |
| while adjusting "nfrontp" pointer to point |
| beyond "netobuf" buffer. |
| |
| Here is one such case where "nfrontp" |
| crossed boundaries of "netobuf", and |
| pointing to another global variable. |
| |
| (gdb) p &netobuf[8255] |
| $5 = 0x55c93afe8b1f <netobuf+8255> "" |
| (gdb) p nfrontp |
| $6 = 0x55c93afe8c20 <terminaltype> "\377" |
| (gdb) p &terminaltype |
| $7 = (char **) 0x55c93afe8c20 <terminaltype> |
| (gdb) |
| |
| This resulted in crash of telnetd service |
| with segmentation fault. |
| |
| Though this is DoS security bug, I couldn't |
| find any CVE ID for this. |
| |
| Upstream-Status: Pending |
| |
| Signed-off-by: Julius Hemanth Pitti <jpitti@cisco.com> |
| --- |
| telnetd/utility.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| diff --git a/telnetd/utility.c b/telnetd/utility.c |
| index b9a46a6..4811f14 100644 |
| --- a/telnetd/utility.c |
| +++ b/telnetd/utility.c |
| @@ -66,7 +66,7 @@ netoprintf(const char *fmt, ...) |
| len = vsnprintf(nfrontp, maxsize, fmt, ap); |
| va_end(ap); |
| |
| - if (len<0 || len==maxsize) { |
| + if (len<0 || len>=maxsize) { |
| /* didn't fit */ |
| netflush(); |
| } |
| -- |
| 2.19.1 |