[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 2/3] telnet: Fix TTYPE subnegotiation off-by-one error.
From: |
Erik Auerswald |
Subject: |
[PATCH 2/3] telnet: Fix TTYPE subnegotiation off-by-one error. |
Date: |
Sun, 27 Feb 2022 17:34:49 +0100 |
User-agent: |
Mutt/1.5.21 (2010-09-15) |
Fix off-by-one error in Terminal-Type option subnegotiation if the TERM
variable has exactly 44 bytes. In this case the SE byte (end of
subnegotiation parameters) was replaced by a NUL byte. This concerns
the CVE-2019-0053 fixes. Reported by Erik Auerswald in
<https://lists.gnu.org/archive/html/bug-inetutils/2022-02/msg00004.html>.
* NEWS: Mention fix.
* telnet/telnet.c (suboption): Adjust length check to account for NUL
byte written by snprintf().
---
NEWS | 5 +++++
telnet/telnet.c | 2 +-
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/NEWS b/NEWS
index 166ca457..319bb2f9 100644
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,11 @@ Abort subnegotiation of X Display Location Option with WON'T
when DISPLAY
value is too large for buffer. Reported by Joerg Mayer in
<https://lists.gnu.org/archive/html/bug-inetutils/2022-01/msg00010.html>.
+Fix off-by-one error in Terminal-Type option subnegotiation if the TERM
+variable has exactly 44 bytes. This concerns the CVE-2019-0053 fixes.
+Reported by Erik Auerswald in
+<https://lists.gnu.org/archive/html/bug-inetutils/2022-02/msg00004.html>.
+
** Various bugs fixes, internal improvements and clean ups.
Further cleanup of configure.ac, updates to modern autoconf releases,
diff --git a/telnet/telnet.c b/telnet/telnet.c
index 62c79653..d7e0ad8e 100644
--- a/telnet/telnet.c
+++ b/telnet/telnet.c
@@ -860,7 +860,7 @@ suboption (void)
name = gettermname ();
len = strlen (name) + 4 + 2;
- if ((len < NETROOM ()) && (len <= (int) sizeof (temp)))
+ if ((len < NETROOM ()) && (len < (int) sizeof (temp)))
{
snprintf ((char *) temp, sizeof (temp), "%c%c%c%c%s%c%c",
IAC, SB, TELOPT_TTYPE, TELQUAL_IS,
--
In the beginning, there were not enough colors.
-- Guy Keren
- Re: Bug in telnet from inetutils-2.2: Insufficient buffer space for longish DISPLAY names, Erik Auerswald, 2022/02/01
- Re: Bug in telnet from inetutils-2.2: Insufficient buffer space for longish DISPLAY names, Erik Auerswald, 2022/02/05
- Re: Bug in telnet from inetutils-2.2: Insufficient buffer space for longish DISPLAY names, Erik Auerswald, 2022/02/07
- Re: Bug in telnet from inetutils-2.2: Insufficient buffer space for longish DISPLAY names, Joerg Mayer, 2022/02/07
- Re: Bug in telnet from inetutils-2.2: Insufficient buffer space for longish DISPLAY names, Erik Auerswald, 2022/02/18
- Re: Bug in telnet from inetutils-2.2: Insufficient buffer space for longish DISPLAY names, Alfred M. Szmidt, 2022/02/19
- Re: Bug in telnet from inetutils-2.2: Insufficient buffer space for longish DISPLAY names, Erik Auerswald, 2022/02/20
- Re: Bug in telnet from inetutils-2.2: Insufficient buffer space for longish DISPLAY names, Erik Auerswald, 2022/02/21
- [PATCH 0/3] GNU inetutils telnet client fixes, Erik Auerswald, 2022/02/27
- [PATCH 1/3] telnet: Abort subnegotiation of XDISPLOC on error., Erik Auerswald, 2022/02/27
- [PATCH 2/3] telnet: Fix TTYPE subnegotiation off-by-one error.,
Erik Auerswald <=
- [PATCH 3/3] telnet: Avoid command evaluation crashes., Erik Auerswald, 2022/02/27