Re: NULL Pointer Dereference in unsetcmd() at inetutils/telnet/commands.

bug-inetutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NULL Pointer Dereference in unsetcmd() at inetutils/telnet/commands.

From:	Erik Auerswald
Subject:	Re: NULL Pointer Dereference in unsetcmd() at inetutils/telnet/commands.c:1227
Date:	Fri, 8 Jul 2022 19:13:25 +0200

Hi Simon,

On Thu, Jul 07, 2022 at 11:32:50PM +0200, Simon Josefsson wrote:
> Erik Auerswald <auerswal@unix-ag.uni-kl.de> writes:
> 
> >> This happens when the "unset" command is used with a single space as
> >> argument, [...]
> 
> I do wonder if this (and other) bugs are present in other modern
> implementations though?  Or if they discovered this problem and patched
> it in some different way...  if anyone has time to look into it, that
> would be nice.

At least Netkit telnet has the same set/unset crash:

    $ telnet.netkit 
    telnet.netkit> set ' ' crash
    Segmentation fault (core dumped)

    $ telnet.netkit 
    telnet.netkit> unset ' '
    Segmentation fault (core dumped)

Also the makeargv() crash:

    $ telnet.netkit
    telnet.netkit> help z ! ? z ! ? z ! ? z ! ? z ! ? z ! ? z !
    suspend telnet
    ?Invalid help command !
    Print help information
    suspend telnet
    ?Invalid help command !
    Print help information
    suspend telnet
    ?Invalid help command !
    Print help information
    suspend telnet
    ?Invalid help command !
    Print help information
    suspend telnet
    ?Invalid help command !
    Print help information
    suspend telnet
    ?Invalid help command !
    Print help information
    suspend telnet
    Segmentation fault (core dumped)

It does not have the "help help" crash:

    $ telnet.netkit
    telnet.netkit> help help
    Print help information
    telnet.netkit> q

This is Netkit telnet from Ubuntu 20.04:

    $ dpkg -S `which telnet.netkit`
    telnet: /usr/bin/telnet.netkit

    $ apt-cache policy telnet | grep '\*\*\*'
     *** 0.17-41.2build1 500

It seems to me as if this Netkit project no longer exists.  Since I do
not know the upstream project, I have not report any bugs, and have not
send any patches.

I do not have a BSD system to test, but anyone who does can easily try
out the above.

Thanks,
Erik
-- 
Thinking doesn't guarantee that we won't make mistakes. But not thinking
guarantees that we will.
                        -- Leslie Lamport

[Prev in Thread]

Current Thread

[Next in Thread]

Re: NULL Pointer Dereference in unsetcmd() at inetutils/telnet/commands.c:1227, Simon Josefsson, 2022/07/07
- Re: NULL Pointer Dereference in unsetcmd() at inetutils/telnet/commands.c:1227, Simon Josefsson, 2022/07/07
  - Re: NULL Pointer Dereference in unsetcmd() at inetutils/telnet/commands.c:1227, Erik Auerswald <=
    - Re: NULL Pointer Dereference in unsetcmd() at inetutils/telnet/commands.c:1227, Simon Josefsson, 2022/07/08
    - Re: NULL Pointer Dereference in unsetcmd() at inetutils/telnet/commands.c:1227, Simon Josefsson, 2022/07/08

Prev by Date: Re: [PATCH 3/3] telnet: Avoid command evaluation crashes.
Next by Date: Re: NULL Pointer Dereference in unsetcmd() at inetutils/telnet/commands.c:1227
Previous by thread: Re: NULL Pointer Dereference in unsetcmd() at inetutils/telnet/commands.c:1227
Next by thread: Re: NULL Pointer Dereference in unsetcmd() at inetutils/telnet/commands.c:1227
Index(es):
- Date
- Thread