[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug-inetutils] telnet (GNU inetutils) 1.7 cmdrc() local buffer overflow

From: 王智通
Subject: [bug-inetutils] telnet (GNU inetutils) 1.7 cmdrc() local buffer overflow hole
Date: Sun, 27 Dec 2009 11:37:53 +0800

Dear, all:


   I download gnu telnet code from http://ftp.gnu.org/gnu/inetutils/inetutils-1.7.tar.gz. In the telnet code in commands.c,

I found this function has a local buffer overflow bug, see:




static char *rcname = 0;

static char rcbuf[128];


static void

cmdrc (char *m1, char *m2)


  if (rcname == 0)


   rcname = getenv ("HOME");   // when the getenv()  get the HOME environment value, It not test the length of the value, and then copy it to the rcbuf. If the length is too long(>128), it will cause a buffer overflow.

      if (rcname)

         strcpy (rcbuf, rcname);


         rcbuf[0] = '\0';

      strcat (rcbuf, "/.telnetrc");

      rcname = rcbuf;



You can test it with:


Export HOME=”aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa”


./telnet localhost 22


My terminal has crashed.


And my patch is:


diff -Nur inetutils-1.7/telnet/commands.c inetutils-1.7-new/telnet/commands.c

--- inetutils-1.7/telnet/commands.c     2009-12-14 19:36:17.000000000 +0800

+++ inetutils-1.7-new/telnet/commands.c 2009-12-27 19:02:44.000000000 +0800

@@ -3029,6 +3029,8 @@

   if (rcname == 0)


       rcname = getenv ("HOME");

+      if (strlen(rcname) > 128)

+        return ;

       if (rcname)

        strcpy (rcbuf, rcname);




This email (including any attachments) is confidential and may be legally privileged. If you received this email in error, please delete it immediately and do not copy it or use it for any purpose or disclose its contents to any other person. Thank you.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]