bug-inetutils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NULL Pointer Dereference in help()

From: Erik Auerswald
Subject: Re: NULL Pointer Dereference in help()
Date: Sat, 12 Feb 2022 20:33:16 +0100
User-agent: Mutt/1.5.21 (2010-09-15) 
Hi,

On Thu, Dec 23, 2021 at 09:15:59PM +0800, AiDai wrote:
> Line 1: # NULL Pointer Dereference in help() at
> inetutils/telnet/commands.c:3094

Thanks for fuzzing GNU inetutils!

> AiDai <wyxaidai@gmail.com> 于2021年12月23日周四 21:13写道:
> 
> > **command:**
> >
> > ```
> > ./telnet < ./poc
> > ```
> >
> >> ## Description
> >>
> >> A NULL Pointer Dereference was discovered in help() at
> >> inetutils/telnet/commands.c:3094. The vulnerability causes a segmentation
> >> fault and application crash.

This problem occurs when asking for the help text for the help command
using the name "help" instead of "?":

    $ telnet/telnet
    telnet> help ?
    print help information
    telnet> help help
    Segmentation fault (core dumped)

The cause is no help text for "help" in cmdtab2.  This is valid according
to the comments describing "struct Command":

    typedef struct
    {
      const char *name;             /* command name */
      const char *help;             /* help string (NULL for no help) */
      int (*handler) ();            /* routine which executes command */
      int needconnect;              /* Do we need to be connected to execute? */
    } Command;

But the code in help() only checks this when given no arguments, not
with arguments to "help".

The first attached patch "inetutils-telnet-dont_print_nonexistent_help.patch"
fixes this.

This is the correct fix for this issue.

The second attached patch "inetutils-telnet-use_help_helptext.patch" adds
the existing help text for the help command to cmdtab2.  This also fixes
the NULL pointer dereference, but only for the "help" entry.  This suffices
currently, because this is the only entry without a help text, but
providing no help text is intended as valid and thus must be handled.  Thus
this is intended to improve the user experience, not as a fix for following
a NULL pointer into chaos and madness.

Thanks,
Erik
-- 
Golden rule #12: When the comments do not match the code, they probably
                 are both wrong.
                        -- Steven Rostedt

Attachment: inetutils-telnet-dont_print_nonexistent_help.patch
Description: Text Data

Attachment: inetutils-telnet-use_help_helptext.patch
Description: Text Data

reply via email to
[Prev in Thread] Current Thread [Next in Thread]