[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [bug-inetutils] Buffer overflow for gnu inetutils telnetd

From: Chris Severance
Subject: Re: [bug-inetutils] Buffer overflow for gnu inetutils telnetd
Date: Tue, 11 Jul 2017 02:21:16 -0400

There's nothing to reproduce. Your compile settings and glibc are
allowing the buffer overflows because they don't overflow enough to get
noticed. Compile with -Wformat-overflow=2 and the errors are all listed

telnetd.c: In function 'telnetd_run':
telnetd.c:711:33: warning: '__builtin___sprintf_chk' writing a
terminating nul past the end of the destination [-Wformat-overflow=]
     sprintf (data, "%c%c%c%c%c%c",
In file included from /usr/include/stdio.h:939:0,
                 from ../lib/stdio.h:43,
                 from telnetd.h:25,
                 from telnetd.c:23:
/usr/include/bits/stdio2.h:33:10: note: '__builtin___sprintf_chk' output
7 bytes into a destination of size 6
   return __builtin___sprintf_chk (__s, __USE_FORTIFY_LEVEL - 1,
       __bos (__s), __fmt, __va_arg_pack ());

Unfortunately gcc 7.1.1 -stack-protector is also bugged and can't always
detect this.

On Mon, Jul 10, 2017, at 04:34 PM, Alfred M. Szmidt wrote:
>    2017-02-21 18:50 Mats Erik Andersson o telnetd: Debugging of line mode
>    options.
>    9db2d39777f8d37496265fc732e640a2ea0c9a29
>    This new code is causing a buffer overflow. I can immediately see that
>    char data[6] doesn't include space for the trailing \0. I tried
>    boosting
>    to "char data[1000]" and that stopped the overflow but then it output
>    junk characters in place of the OS greeting.
> I can't reproduce the behaviour, do you have a note of your setup?

reply via email to

[Prev in Thread] Current Thread [Next in Thread]