[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU Inetutils branch, master, updated. inetutils-1_9_4-68-g07fdb4
|
From: |
Mats Erik Andersson |
|
Subject: |
[SCM] GNU Inetutils branch, master, updated. inetutils-1_9_4-68-g07fdb42 |
|
Date: |
Wed, 29 Jan 2020 15:13:41 -0500 (EST) |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU Inetutils ".
The branch, master has been updated
via 07fdb4201a3a5e6df92c0929c65671ce4ba8af5a (commit)
from 45f0ab0a8f6db70c01b38918c6a7e51bd0ca7935 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=07fdb4201a3a5e6df92c0929c65671ce4ba8af5a
commit 07fdb4201a3a5e6df92c0929c65671ce4ba8af5a
Author: Mats Erik Andersson <address@hidden>
Date: Wed Jan 29 21:07:10 2020 +0100
More work on CVE-2019-0053.
Telnet protocol messages must remain sane at all costs, instead of
being truncated because indata was oversized. Some additional cases
of insufficient buffer declaration are corrected.
diff --git a/ChangeLog b/ChangeLog
index 843fbf6..6dbb150 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,22 @@
+2020-01-29 Mats Erik Andersson <address@hidden>
+
+ More work on CVE-2019-0053.
+ Telnet protocol messages must not be corrupted when buffer
+ overflows are detected, but should be reported as errors.
+
+ * telnet/telnet.c (suboption): Check that prepared protocol
+ message in fact fits in intermediary buffer without truncation.
+ Tweak indentation for visibility of protocol elements in snprintf.
+
+ Allocate space also for final NUL-character.
+
+ * telnetd/telnetd.c (telnetdrun): Increase DATA string size by one.
+ * telnetd/termstat.c (localstat, flowstat, clientstat): Likewise.
+
+ Insufficiently declared length of string variable.
+
+ * telnetd/utility.c (printsub): Declare TBUF with maximal extent.
+
2020-01-28 Mats Erik Andersson <address@hidden>
Better test coverage, mostly IPv6.
diff --git a/telnet/telnet.c b/telnet/telnet.c
index f42957e..297ae0e 100644
--- a/telnet/telnet.c
+++ b/telnet/telnet.c
@@ -859,10 +859,13 @@ suboption (void)
#endif /* defined(TN3270) */
name = gettermname ();
len = strlen (name) + 4 + 2;
- if (len < NETROOM ())
+
+ if ((len < NETROOM ()) && (len <= sizeof (temp)))
{
- snprintf ((char *) temp, sizeof (temp), "%c%c%c%c%s%c%c", IAC,
SB, TELOPT_TTYPE,
- TELQUAL_IS, name, IAC, SE);
+ snprintf ((char *) temp, sizeof (temp), "%c%c%c%c%s%c%c",
+ IAC, SB, TELOPT_TTYPE, TELQUAL_IS,
+ name,
+ IAC, SE);
ring_supply_data (&netoring, temp, len);
printsub ('>', &temp[2], len - 2);
}
@@ -880,13 +883,15 @@ suboption (void)
if (SB_GET () == TELQUAL_SEND)
{
long ospeed, ispeed;
- unsigned char temp[50];
+ unsigned char temp[50]; /* Two six-digit integers plus 7. */
int len;
TerminalSpeeds (&ispeed, &ospeed);
- snprintf ((char *) temp, sizeof (temp), "%c%c%c%c%d,%d%c%c", IAC, SB,
TELOPT_TSPEED,
- TELQUAL_IS, (int) ospeed, (int) ispeed, IAC, SE);
+ snprintf ((char *) temp, sizeof (temp), "%c%c%c%c%d,%d%c%c",
+ IAC, SB, TELOPT_TSPEED, TELQUAL_IS,
+ (int) ospeed, (int) ispeed,
+ IAC, SE);
len = strlen ((char *) temp + 4) + 4; /* temp[3] is 0 ... */
if (len < NETROOM ())
@@ -999,8 +1004,23 @@ suboption (void)
send_wont (TELOPT_XDISPLOC, 1);
break;
}
- snprintf ((char *) temp, sizeof (temp), "%c%c%c%c%s%c%c", IAC, SB,
TELOPT_XDISPLOC,
- TELQUAL_IS, dp, IAC, SE);
+
+ /* Remote host, and display server must not be corrupted
+ * by truncation. In addition, every character of telnet
+ * protocol must remain unsevered. Check that DP fits in
+ * full within TEMP. Otherwise report buffer error.
+ */
+ if (strlen (dp) > sizeof (temp) - 4 - 2)
+ {
+ printf ("lm_will: not enough room in buffer\n");
+ break;
+ }
+
+ /* Go ahead safely. */
+ snprintf ((char *) temp, sizeof (temp), "%c%c%c%c%s%c%c",
+ IAC, SB, TELOPT_XDISPLOC, TELQUAL_IS,
+ dp,
+ IAC, SE);
len = strlen ((char *) temp + 4) + 4; /* temp[3] is 0 ... */
if (len < NETROOM ())
diff --git a/telnetd/telnetd.c b/telnetd/telnetd.c
index a3badbe..048ed13 100644
--- a/telnetd/telnetd.c
+++ b/telnetd/telnetd.c
@@ -704,7 +704,7 @@ telnetd_run (void)
int newflow = (c & TIOCPKT_DOSTOP) ? 1 : 0;
if (newflow != flowmode)
{
- char data[6];
+ char data[7];
sprintf (data, "%c%c%c%c%c%c",
IAC, SB, TELOPT_LFLOW,
diff --git a/telnetd/termstat.c b/telnetd/termstat.c
index daeea00..6f94da0 100644
--- a/telnetd/termstat.c
+++ b/telnetd/termstat.c
@@ -304,7 +304,7 @@ localstat (void)
}
else if (lmodetype == REAL_LINEMODE)
{
- char data[7];
+ char data[8];
send_do (TELOPT_LINEMODE, 1);
/* send along edit modes */
@@ -339,7 +339,7 @@ localstat (void)
/*
* Send along appropriate edit mode mask.
*/
- char data[7];
+ char data[8];
sprintf (data, "%c%c%c%c%c%c%c",
IAC, SB, TELOPT_LINEMODE,
@@ -391,7 +391,7 @@ flowstat (void)
{
if (his_state_is_will (TELOPT_LFLOW))
{
- char data[6];
+ char data[7];
if (tty_flowmode () != flowmode)
{
@@ -476,7 +476,7 @@ clientstat (register int code, register int parm1, register
int parm2)
if (lmodetype == REAL_LINEMODE && uselinemode)
if (uselinemode)
{
- char data[7];
+ char data[8];
useeditmode = 0;
if (tty_isediting ())
@@ -553,7 +553,7 @@ clientstat (register int code, register int parm1, register
int parm2)
if (!ack)
{
- char data[7];
+ char data[8];
sprintf (data, "%c%c%c%c%c%c%c",
IAC, SB, TELOPT_LINEMODE,
diff --git a/telnetd/utility.c b/telnetd/utility.c
index dc87e9a..42f624e 100644
--- a/telnetd/utility.c
+++ b/telnetd/utility.c
@@ -1225,7 +1225,8 @@ printsub (int direction, unsigned char *pointer, int
length)
break;
}
{
- char tbuf[32];
+ char tbuf[sizeof ("|EDIT|TRAPSIG|SOFT_TAB|LIT_ECHO|ACK")];
+
snprintf (tbuf, sizeof (tbuf), "%s%s%s%s%s",
pointer[2] & MODE_EDIT ? "|EDIT" : "",
pointer[2] & MODE_TRAPSIG ? "|TRAPSIG" : "",
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 19 +++++++++++++++++++
telnet/telnet.c | 36 ++++++++++++++++++++++++++++--------
telnetd/telnetd.c | 2 +-
telnetd/termstat.c | 10 +++++-----
telnetd/utility.c | 3 ++-
5 files changed, 55 insertions(+), 15 deletions(-)
hooks/post-receive
--
GNU Inetutils
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU Inetutils branch, master, updated. inetutils-1_9_4-68-g07fdb42,
Mats Erik Andersson <=