Re: Telnetd AYT overflow scanner

[der Mouse <mouse () Rodents Montreal QC CA>]

> /*
>  * Telnetd AYT overflow scanner, by Security Point(R)
>  *              Bug found by scut of TESO Security
[...]
>  * With Security Point(R) Scanner you can find and repair the
>  * Vulnerabilities before the bad guys get in.

Does anyone else find it as ironic as I that this code contains
a..buffer overflow?

> char sendbuffer[5120*2];

>     bzero(sendbuffer,sizeof(sendbuffer));
>     for (i=0;i!=(sizeof(sendbuffer)/2);i++) {
>       sprintf(sendbuffer,"%s%c%c",sendbuffer,255,246); // 0xff 0xf6 - IAC AYT
>     }

Quite aside from the _horrible_ misuse of sprintf, this writes a NUL
one byte past the end of sendbuffer[].

I sure wouldn't trust anything about my system to code from whoever
wrote this.  Just on a quick once-over, I see seven other things I
would say are wrong with it.

/~\ The ASCII                           der Mouse
\ / Ribbon Campaign
 X  Against HTML               mouse () rodents montreal qc ca
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B