[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NULL Pointer Dereference in unsetcmd() at inetutils/telnet/commands.
|
From: |
Simon Josefsson |
|
Subject: |
Re: NULL Pointer Dereference in unsetcmd() at inetutils/telnet/commands.c:1227 |
|
Date: |
Thu, 07 Jul 2022 23:32:50 +0200 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) |
Erik Auerswald <auerswal@unix-ag.uni-kl.de> writes:
>> This happens when the "unset" command is used with a single space as
>> argument, because the "Setlist" contains entries for empty lines that use
>> a single space as key, but the setlist.handler is 0 and the setlist.charp
>> is NULL:
>>
>> {" ", "", 0, NULL},
>>
>> There are several (identical) such entries, but since the " " entry is
>> matched exactly, isprefix() does not return an ambiguous match, but an
>> exact match.
> ^--- of the first such entry
>
> The Setlist table contains comment lines with " " as name, too.
>
> It might be a good idea to not match any table entry in genget() when
> the name is a single space (" ").
>
> It could be useful to change isprefix() to not exit early on the
> first exact match, and thus return "&ambiguous" when trying to match a
> duplicated name. This would have prevented this specific NULL pointer
> dereference, because there is more than one empty and/or comment line,
> i.e., with a name of " ", in the respective table. It would help against
> accidentally adding two entries to a table, too. But it would not guard
> against matching the single "empty line" in the Togglelist table.
Yeah, I agree, but this code is in libtelnet/genget.c which is really
ancient. It is not clear that patching it now improves anything, it may
just risk introducing new problems.
I do wonder if this (and other) bugs are present in other modern
implementations though? Or if they discovered this problem and patched
it in some different way... if anyone has time to look into it, that
would be nice.
/Simon
signature.asc
Description: PGP signature