| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556 |
- From 9c81c8e5bc7782e8ae12c078615abc3c896059f2 Mon Sep 17 00:00:00 2001
- From: Julius Hemanth Pitti <jpitti@cisco.com>
- Date: Tue, 14 Jul 2020 22:34:19 -0700
- Subject: [PATCH] telnetd/utility.c: Fix buffer overflow in netoprintf
- As per man page of vsnprintf, when formated
- string size is greater than "size"(2nd argument),
- then vsnprintf returns size of formated string,
- not "size"(2nd argument).
- netoprintf() was not handling a case where
- return value of vsnprintf is greater than
- "size"(2nd argument), results in buffer overflow
- while adjusting "nfrontp" pointer to point
- beyond "netobuf" buffer.
- Here is one such case where "nfrontp"
- crossed boundaries of "netobuf", and
- pointing to another global variable.
- (gdb) p &netobuf[8255]
- $5 = 0x55c93afe8b1f <netobuf+8255> ""
- (gdb) p nfrontp
- $6 = 0x55c93afe8c20 <terminaltype> "\377"
- (gdb) p &terminaltype
- $7 = (char **) 0x55c93afe8c20 <terminaltype>
- (gdb)
- This resulted in crash of telnetd service
- with segmentation fault.
- Though this is DoS security bug, I couldn't
- find any CVE ID for this.
- Upstream-Status: Pending
- Signed-off-by: Julius Hemanth Pitti <jpitti@cisco.com>
- ---
- telnetd/utility.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
- diff --git a/telnetd/utility.c b/telnetd/utility.c
- index b9a46a6..4811f14 100644
- --- a/telnetd/utility.c
- +++ b/telnetd/utility.c
- @@ -66,7 +66,7 @@ netoprintf(const char *fmt, ...)
- len = vsnprintf(nfrontp, maxsize, fmt, ap);
- va_end(ap);
-
- - if (len<0 || len==maxsize) {
- + if (len<0 || len>=maxsize) {
- /* didn't fit */
- netflush();
- }
- --
- 2.19.1
|
