From 9c81c8e5bc7782e8ae12c078615abc3c896059f2 Mon Sep 17 00:00:00 2001
|
From: Julius Hemanth Pitti <jpitti@cisco.com>
|
Date: Tue, 14 Jul 2020 22:34:19 -0700
|
Subject: [PATCH] telnetd/utility.c: Fix buffer overflow in netoprintf
|
|
As per man page of vsnprintf, when formated
|
string size is greater than "size"(2nd argument),
|
then vsnprintf returns size of formated string,
|
not "size"(2nd argument).
|
|
netoprintf() was not handling a case where
|
return value of vsnprintf is greater than
|
"size"(2nd argument), results in buffer overflow
|
while adjusting "nfrontp" pointer to point
|
beyond "netobuf" buffer.
|
|
Here is one such case where "nfrontp"
|
crossed boundaries of "netobuf", and
|
pointing to another global variable.
|
|
(gdb) p &netobuf[8255]
|
$5 = 0x55c93afe8b1f <netobuf+8255> ""
|
(gdb) p nfrontp
|
$6 = 0x55c93afe8c20 <terminaltype> "\377"
|
(gdb) p &terminaltype
|
$7 = (char **) 0x55c93afe8c20 <terminaltype>
|
(gdb)
|
|
This resulted in crash of telnetd service
|
with segmentation fault.
|
|
Though this is DoS security bug, I couldn't
|
find any CVE ID for this.
|
|
Upstream-Status: Pending
|
|
Signed-off-by: Julius Hemanth Pitti <jpitti@cisco.com>
|
---
|
telnetd/utility.c | 2 +-
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
diff --git a/telnetd/utility.c b/telnetd/utility.c
|
index b9a46a6..4811f14 100644
|
--- a/telnetd/utility.c
|
+++ b/telnetd/utility.c
|
@@ -66,7 +66,7 @@ netoprintf(const char *fmt, ...)
|
len = vsnprintf(nfrontp, maxsize, fmt, ap);
|
va_end(ap);
|
|
- if (len<0 || len==maxsize) {
|
+ if (len<0 || len>=maxsize) {
|
/* didn't fit */
|
netflush();
|
}
|
--
|
2.19.1
|
