Andrew Geissler | 87f5cff | 2022-09-30 13:13:31 -0500 | [diff] [blame] | 1 | From d52349fa1b6baac77ffa2c74769636aa2ece2ec5 Mon Sep 17 00:00:00 2001 |
| 2 | From: Erik Auerswald <auerswal@unix-ag.uni-kl.de> |
| 3 | Date: Sat, 3 Sep 2022 16:58:16 +0200 |
| 4 | Subject: [PATCH] telnetd: Handle early IAC EC or IAC EL receipt |
| 5 | |
| 6 | Fix telnetd crash if the first two bytes of a new connection |
| 7 | are 0xff 0xf7 (IAC EC) or 0xff 0xf8 (IAC EL). |
| 8 | |
| 9 | The problem was reported in: |
| 10 | <https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html>. |
| 11 | |
| 12 | * NEWS: Mention fix. |
| 13 | * telnetd/state.c (telrcv): Handle zero slctab[SLC_EC].sptr and |
| 14 | zero slctab[SLC_EL].sptr. |
| 15 | |
| 16 | CVE: CVE-2022-39028 |
| 17 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=fae8263e467380483c28513c0e5fac143e46f94f] |
| 18 | Signed-off-by: Khem Raj <raj.khem@gmail.com> |
| 19 | --- |
| 20 | telnetd/state.c | 12 +++++++++--- |
| 21 | 1 file changed, 9 insertions(+), 3 deletions(-) |
| 22 | |
| 23 | diff --git a/telnetd/state.c b/telnetd/state.c |
| 24 | index ffc6cba..c2d760f 100644 |
| 25 | --- a/telnetd/state.c |
| 26 | +++ b/telnetd/state.c |
| 27 | @@ -312,15 +312,21 @@ telrcv (void) |
| 28 | case EC: |
| 29 | case EL: |
| 30 | { |
| 31 | - cc_t ch; |
| 32 | + cc_t ch = (cc_t) (_POSIX_VDISABLE); |
| 33 | |
| 34 | DEBUG (debug_options, 1, printoption ("td: recv IAC", c)); |
| 35 | ptyflush (); /* half-hearted */ |
| 36 | init_termbuf (); |
| 37 | if (c == EC) |
| 38 | - ch = *slctab[SLC_EC].sptr; |
| 39 | + { |
| 40 | + if (slctab[SLC_EC].sptr) |
| 41 | + ch = *slctab[SLC_EC].sptr; |
| 42 | + } |
| 43 | else |
| 44 | - ch = *slctab[SLC_EL].sptr; |
| 45 | + { |
| 46 | + if (slctab[SLC_EL].sptr) |
| 47 | + ch = *slctab[SLC_EL].sptr; |
| 48 | + } |
| 49 | if (ch != (cc_t) (_POSIX_VDISABLE)) |
| 50 | pty_output_byte ((unsigned char) ch); |
| 51 | break; |
| 52 | -- |
| 53 | 2.37.3 |
| 54 | |