oss-sec mailing list archives
Re: Multiple telnet.c overflows
From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Tue, 11 Dec 2018 13:10:51 -0800
On 12/11/18 10:39 AM, Hacker Fantastic wrote:
When a telnet server requests environment options the sprintf on line 1002 will not perform bounds checking and causes an overflow of stack buffer temp[50] defined at line 990. This issue can be trivially fixed using a patch to add bounds checking to sprintf such as with a call to snprintf();
GNU inetutils telnet is a fork of the original BSD telnet code, but most of the BSD's seem to have already switched to snprintf a while ago: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/telnet/telnet.c.diff?r1=1.3&r2=1.4&f=h https://github.com/freebsd/freebsd/commit/d2f83e4ec488ec62281318b26dad107e65d96d0c#diff-3503402e6a2ad1eb960a4f475f19fb9f with NetBSD as the outlier: http://cvsweb.netbsd.org/bsdweb.cgi/src/usr.bin/telnet/telnet.c?rev=1.36&content-type=text/x-cvsweb-markup&only_with_tag=MAIN illumos also uses snprintf, in the code it inherited from OpenSolaris: https://github.com/illumos/illumos-gate/blob/master/usr/src/cmd/cmd-inet/usr.bin/telnet/telnet.c#L955 -alan-
Current thread:
- Multiple telnet.c overflows Hacker Fantastic (Dec 11)
- Re: Multiple telnet.c overflows Alan Coopersmith (Dec 11)
- Re: Multiple telnet.c overflows Tavis Ormandy (Dec 12)
- Re: Multiple telnet.c overflows Hacker Fantastic (Dec 12)
- Re: Multiple telnet.c overflows Tavis Ormandy (Dec 12)
- Re: Multiple telnet.c overflows Bob Friesenhahn (Dec 12)
- Re: Multiple telnet.c overflows Tavis Ormandy (Dec 12)
- Re: Multiple telnet.c overflows Hacker Fantastic (Dec 12)
- Re: Multiple telnet.c overflows Tavis Ormandy (Dec 12)
- Re: Multiple telnet.c overflows Hacker Fantastic (Dec 13)
- Re: Multiple telnet.c overflows Tavis Ormandy (Dec 12)
- Re: Multiple telnet.c overflows Hacker Fantastic (Dec 13)
- Re: Multiple telnet.c overflows Tavis Ormandy (Dec 12)
- Re: Multiple telnet.c overflows Alan Coopersmith (Dec 11)