| Andrew Geissler | 87f5cff | 2022-09-30 13:13:31 -0500 | [diff] [blame] | 1 | From d52349fa1b6baac77ffa2c74769636aa2ece2ec5 Mon Sep 17 00:00:00 2001 | 
|  | 2 | From: Erik Auerswald <auerswal@unix-ag.uni-kl.de> | 
|  | 3 | Date: Sat, 3 Sep 2022 16:58:16 +0200 | 
|  | 4 | Subject: [PATCH] telnetd: Handle early IAC EC or IAC EL receipt | 
|  | 5 |  | 
|  | 6 | Fix telnetd crash if the first two bytes of a new connection | 
|  | 7 | are 0xff 0xf7 (IAC EC) or 0xff 0xf8 (IAC EL). | 
|  | 8 |  | 
|  | 9 | The problem was reported in: | 
|  | 10 | <https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html>. | 
|  | 11 |  | 
|  | 12 | * NEWS: Mention fix. | 
|  | 13 | * telnetd/state.c (telrcv): Handle zero slctab[SLC_EC].sptr and | 
|  | 14 | zero slctab[SLC_EL].sptr. | 
|  | 15 |  | 
|  | 16 | CVE: CVE-2022-39028 | 
|  | 17 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=fae8263e467380483c28513c0e5fac143e46f94f] | 
|  | 18 | Signed-off-by: Khem Raj <raj.khem@gmail.com> | 
|  | 19 | --- | 
|  | 20 | telnetd/state.c | 12 +++++++++--- | 
|  | 21 | 1 file changed, 9 insertions(+), 3 deletions(-) | 
|  | 22 |  | 
|  | 23 | diff --git a/telnetd/state.c b/telnetd/state.c | 
|  | 24 | index ffc6cba..c2d760f 100644 | 
|  | 25 | --- a/telnetd/state.c | 
|  | 26 | +++ b/telnetd/state.c | 
|  | 27 | @@ -312,15 +312,21 @@ telrcv (void) | 
|  | 28 | case EC: | 
|  | 29 | case EL: | 
|  | 30 | { | 
|  | 31 | -		cc_t ch; | 
|  | 32 | +		cc_t ch = (cc_t) (_POSIX_VDISABLE); | 
|  | 33 |  | 
|  | 34 | DEBUG (debug_options, 1, printoption ("td: recv IAC", c)); | 
|  | 35 | ptyflush ();	/* half-hearted */ | 
|  | 36 | init_termbuf (); | 
|  | 37 | if (c == EC) | 
|  | 38 | -		  ch = *slctab[SLC_EC].sptr; | 
|  | 39 | +		  { | 
|  | 40 | +		    if (slctab[SLC_EC].sptr) | 
|  | 41 | +		      ch = *slctab[SLC_EC].sptr; | 
|  | 42 | +		  } | 
|  | 43 | else | 
|  | 44 | -		  ch = *slctab[SLC_EL].sptr; | 
|  | 45 | +		  { | 
|  | 46 | +		    if (slctab[SLC_EL].sptr) | 
|  | 47 | +		      ch = *slctab[SLC_EL].sptr; | 
|  | 48 | +		  } | 
|  | 49 | if (ch != (cc_t) (_POSIX_VDISABLE)) | 
|  | 50 | pty_output_byte ((unsigned char) ch); | 
|  | 51 | break; | 
|  | 52 | -- | 
|  | 53 | 2.37.3 | 
|  | 54 |  |