>From 57390e9ed5702630487d6f7341c54c5c53ced7a5 Mon Sep 17 00:00:00 2001 From: Erik Auerswald Date: Mon, 21 Feb 2022 18:45:58 +0100 Subject: [PATCH] telnet: Abort subnegotiation of XDISPLOC on error. Subnegotiation of the X Display Location option needs to be aborted when it cannot be completed. * NEWS: Mention fix. * telnet/telnet.c (suboption): Call send_wont() to abort when DISPLAY value does not fit into temporary buffer. --- NEWS | 4 ++++ telnet/telnet.c | 6 ++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/NEWS b/NEWS index 78e9ca9a..e2bfb8eb 100644 --- a/NEWS +++ b/NEWS @@ -7,6 +7,10 @@ GNU inetutils NEWS -- history of user-visible changes. Don't infloop when (malicious) server sends too large terminal value, see: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945861 +Abort subnegotiation of X Display Location Option with WONT when DISPLAY +value is too large for buffer. Reported by Joerg Mayer in +. + ** Various bugs fixes, internal improvements and clean ups. Further cleanup of configure.ac, updates to modern autoconf releases, diff --git a/telnet/telnet.c b/telnet/telnet.c index c5b18c14..62c79653 100644 --- a/telnet/telnet.c +++ b/telnet/telnet.c @@ -1008,11 +1008,13 @@ suboption (void) /* Remote host, and display server must not be corrupted * by truncation. In addition, every character of telnet * protocol must remain unsevered. Check that DP fits in - * full within TEMP. Otherwise report buffer error. + * full within TEMP. Otherwise report buffer error and + * turn off the option. */ if (strlen ((char *) dp) >= sizeof (temp) - 4 - 2) { - printf ("lm_will: not enough room in buffer\n"); + printf ("lm_will: not enough room in buffer for DISPLAY\n"); + send_wont (TELOPT_XDISPLOC, 1); break; } -- 2.17.1