[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NULL Pointer Dereference in unsetcmd() at inetutils/telnet/commands.

From: Erik Auerswald
Subject: Re: NULL Pointer Dereference in unsetcmd() at inetutils/telnet/commands.c:1227
Date: Fri, 11 Feb 2022 14:38:45 +0100
User-agent: Mutt/1.5.21 (2010-09-15)


On Thu, Feb 10, 2022 at 07:56:28PM +0100, Erik Auerswald wrote:
> On Thu, Dec 23, 2021 at 09:17:45PM +0800, AiDai wrote:
> > # NULL Pointer Dereference in unsetcmd() at inetutils/telnet/commands.c:1227
> > 
> > ## Description
> > 
> > A NULL Pointer Dereference was discovered in unsetcmd() at
> > inetutils/telnet/commands.c:1227. The vulnerability causes a segmentation
> > fault and application crash.
> This happens when the "unset" command is used with a single space as
> argument, because the "Setlist" contains entries for empty lines that use
> a single space as key, but the setlist.handler is 0 and the setlist.charp
> is NULL:
>     {" ", "", 0, NULL},
> There are several (identical) such entries, but since the " " entry is
> matched exactly, isprefix() does not return an ambiguous match, but an
> exact match.
             ^--- of the first such entry

The Setlist table contains comment lines with " " as name, too.

It might be a good idea to not match any table entry in genget() when
the name is a single space (" ").

It could be useful to change isprefix() to not exit early on the
first exact match, and thus return "&ambiguous" when trying to match a
duplicated name.  This would have prevented this specific NULL pointer
dereference, because there is more than one empty and/or comment line,
i.e., with a name of " ", in the respective table.  It would help against
accidentally adding two entries to a table, too.  But it would not guard
against matching the single "empty line" in the Togglelist table.

[M]ost parts of this industry just work by chance.
                        -- Thomas Gleixner

reply via email to

[Prev in Thread] Current Thread [Next in Thread]