Strona główna Odkrywaj Pomoc
Zaloguj się
crispAudio
/
meta-openembedded
kopia lustrzana git://git.openembedded.org/meta-openembedded
5
0
Forkuj 0
Pliki Problemy 0 Wiki
Drzewo: 237ce297fa
Gałęzie Tagi
meta-openemb...
/
meta-networking
/
recipes-netkit
/
netkit-telnet
/
files
/
CVE-2020-10188.patch

CVE-2020-10188.patch 2.8 KB
Historia Czysty

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112 
  1. From 6ab007dbb1958371abff2eaaad2b26da89b3c74e Mon Sep 17 00:00:00 2001
    2. 

  2. From: Yi Zhao <yi.zhao@windriver.com>
    3. 

  3. Date: Fri, 24 Apr 2020 09:43:44 +0800
    4. 

  4. Subject: [PATCH] telnetd/utility.c: fix CVE-2020-10188
    5. 

  5. 

  6. Upstream-Status: Backport
    7. 

  7. [Fedora: https://src.fedoraproject.org/rpms/telnet/raw/master/f/telnet-0.17-overflow-exploit.patch]
    8. 

  8. 

  9. CVE: CVE-2020-10188
    10. 

  10. 

  11. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
    12. 

  12. ---
    13. 

  13.  telnetd/utility.c | 32 +++++++++++++++++++++-----------
    14. 

  14.  1 file changed, 21 insertions(+), 11 deletions(-)
    15. 

  15. 

  16. diff --git a/telnetd/utility.c b/telnetd/utility.c
    17. 

  17. index 75314cb..b9a46a6 100644
    18. 

  18. --- a/telnetd/utility.c
    19. 

  19. +++ b/telnetd/utility.c
    20. 

  20. @@ -169,31 +169,38 @@ void 	ptyflush(void)
    21. 

  21.   */
    22. 

  22.  static
    23. 

  23.  char *
    24. 

  24. -nextitem(char *current)
    25. 

  25. +nextitem(char *current, const char *endp)
    26. 

  26.  {
    27. 

  27. +    if (current >= endp) {
    28. 

  28. +        return NULL;
    29. 

  29. +    }
    30. 

  30.      if ((*current&0xff) != IAC) {
    31. 

  31.  	return current+1;
    32. 

  32.      }
    33. 

  33. +    if (current+1 >= endp) {
    34. 

  34. +        return NULL;
    35. 

  35. +    }
    36. 

  36.      switch (*(current+1)&0xff) {
    37. 

  37.      case DO:
    38. 

  38.      case DONT:
    39. 

  39.      case WILL:
    40. 

  40.      case WONT:
    41. 

  41. -	return current+3;
    42. 

  42. +	return current+3 <= endp ? current+3 : NULL;
    43. 

  43.      case SB:		/* loop forever looking for the SE */
    44. 

  44.  	{
    45. 

  45.  	    register char *look = current+2;
    46. 

  46.  
    47. 

  47. -	    for (;;) {
    48. 

  48. +	    while (look < endp) {
    49. 

  49.  		if ((*look++&0xff) == IAC) {
    50. 

  50. -		    if ((*look++&0xff) == SE) {
    51. 

  51. +		    if (look < endp && (*look++&0xff) == SE) {
    52. 

  52.  			return look;
    53. 

  53.  		    }
    54. 

  54.  		}
    55. 

  55.  	    }
    56. 

  56. +	    return NULL;
    57. 

  57.  	}
    58. 

  58.      default:
    59. 

  59. -	return current+2;
    60. 

  60. +	return current+2 <= endp ? current+2 : NULL;
    61. 

  61.      }
    62. 

  62.  }  /* end of nextitem */
    63. 

  63.  
    64. 

  64. @@ -219,7 +226,7 @@ void netclear(void)
    65. 

  65.      register char *thisitem, *next;
    66. 

  66.      char *good;
    67. 

  67.  #define	wewant(p)	((nfrontp > p) && ((*p&0xff) == IAC) && \
    68. 

  68. -				((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL))
    69. 

  69. +				(nfrontp > p+1 && (((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL))))
    70. 

  70.  
    71. 

  71.  #if	defined(ENCRYPT)
    72. 

  72.      thisitem = nclearto > netobuf ? nclearto : netobuf;
    73. 

  73. @@ -227,7 +234,7 @@ void netclear(void)
    74. 

  74.      thisitem = netobuf;
    75. 

  75.  #endif
    76. 

  76.  
    77. 

  77. -    while ((next = nextitem(thisitem)) <= nbackp) {
    78. 

  78. +    while ((next = nextitem(thisitem, nbackp)) != NULL && next <= nbackp) {
    79. 

  79.  	thisitem = next;
    80. 

  80.      }
    81. 

  81.  
    82. 

  82. @@ -239,20 +246,23 @@ void netclear(void)
    83. 

  83.      good = netobuf;	/* where the good bytes go */
    84. 

  84.  #endif
    85. 

  85.  
    86. 

  86. -    while (nfrontp > thisitem) {
    87. 

  87. +    while (thisitem != NULL && nfrontp > thisitem) {
    88. 

  88.  	if (wewant(thisitem)) {
    89. 

  89.  	    int length;
    90. 

  90.  
    91. 

  91.  	    next = thisitem;
    92. 

  92.  	    do {
    93. 

  93. -		next = nextitem(next);
    94. 

  94. -	    } while (wewant(next) && (nfrontp > next));
    95. 

  95. +		next = nextitem(next, nfrontp);
    96. 

  96. +	    } while (next != NULL && wewant(next) && (nfrontp > next));
    97. 

  97. +	    if (next == NULL) {
    98. 

  98. +		next = nfrontp;
    99. 

  99. +	    }
    100. 

  100.  	    length = next-thisitem;
    101. 

  101.  	    bcopy(thisitem, good, length);
    102. 

  102.  	    good += length;
    103. 

  103.  	    thisitem = next;
    104. 

  104.  	} else {
    105. 

  105. -	    thisitem = nextitem(thisitem);
    106. 

  106. +	    thisitem = nextitem(thisitem, nfrontp);
    107. 

  107.  	}
    108. 

  108.      }
    109. 

  109.  
    110. 

  110. -- 
    111. 

  111. 2.7.4
    112. 

  112.