blob: da2da8da8ad919a7bedbb8e6656da7420c3b1fb8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
From eaae65aac967f9628787dca4a2501ca860bb6598 Mon Sep 17 00:00:00 2001
From: Minjae Kim <flowergom@gmail.com>
Date: Mon, 26 Sep 2022 22:05:07 +0200
Subject: [PATCH] telnetd: Handle early IAC EC or IAC EL receipt
Fix telnetd crash if the first two bytes of a new connection
are 0xff 0xf7 (IAC EC) or 0xff 0xf8 (IAC EL).
The problem was reported in:
<https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html>.
* NEWS: Mention fix.
* telnetd/state.c (telrcv): Handle zero slctab[SLC_EC].sptr and
zero slctab[SLC_EL].sptr.
CVE: CVE-2022-39028
Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=fae8263e467380483c28513c0e5fac143e46f94f]
Signed-off-by: Minjae Kim<flowergom@gmail.com>
---
telnetd/state.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/telnetd/state.c b/telnetd/state.c
index 2184bca..7948503 100644
--- a/telnetd/state.c
+++ b/telnetd/state.c
@@ -314,15 +314,21 @@ telrcv (void)
case EC:
case EL:
{
- cc_t ch;
+ cc_t ch = (cc_t) (_POSIX_VDISABLE);
DEBUG (debug_options, 1, printoption ("td: recv IAC", c));
ptyflush (); /* half-hearted */
init_termbuf ();
if (c == EC)
- ch = *slctab[SLC_EC].sptr;
+ {
+ if (slctab[SLC_EC].sptr)
+ ch = *slctab[SLC_EC].sptr;
+ }
else
- ch = *slctab[SLC_EL].sptr;
+ {
+ if (slctab[SLC_EL].sptr)
+ ch = *slctab[SLC_EL].sptr;
+ }
if (ch != (cc_t) (_POSIX_VDISABLE))
pty_output_byte ((unsigned char) ch);
break;
--
2.25.1
|
