|
| From: | 王智通 |
| Subject: | [bug-inetutils] telnet (GNU inetutils) 1.7 cmdrc() local buffer overflow hole |
| Date: | Sun, 27 Dec 2009 11:37:53 +0800 |
|
Dear, all: I download gnu telnet code from
http://ftp.gnu.org/gnu/inetutils/inetutils-1.7.tar.gz. In the telnet code in commands.c, I found this function has a local buffer overflow bug, see: Commands.c: static char *rcname = 0; static char rcbuf[128]; static void cmdrc (char *m1, char *m2) { if (rcname == 0) { rcname = getenv ("HOME"); // when the getenv() get the HOME
environment value, It not test the length of the value, and then copy it to the rcbuf. If the length is too long(>128), it will cause a buffer overflow. if (rcname) strcpy (rcbuf, rcname); else rcbuf[0] = '\0'; strcat (rcbuf, "/.telnetrc"); rcname = rcbuf; } You can test it with: Export HOME=”aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa” ./telnet localhost 22 My terminal has crashed. And my patch is: diff -Nur inetutils-1.7/telnet/commands.c inetutils-1.7-new/telnet/commands.c --- inetutils-1.7/telnet/commands.c 2009-12-14 19:36:17.000000000 +0800 +++ inetutils-1.7-new/telnet/commands.c 2009-12-27 19:02:44.000000000 +0800 @@ -3029,6 +3029,8 @@ if (rcname == 0) { rcname = getenv ("HOME"); + if (strlen(rcname) > 128) + return ; if (rcname) strcpy (rcbuf, rcname); else This email (including any attachments) is confidential and may be legally privileged. If you received this email in error, please delete it immediately and do not copy it or use it for any purpose or disclose its contents to any other person. Thank you. 本电邮(包括任何附件)可能含有机密资料并受法律保护。如您不是正确的收件人,请您立即删除本邮件。请不要将本电邮进行复制并用作任何其他用途、或透露本邮件之内容。谢谢。 |
| [Prev in Thread] | Current Thread | [Next in Thread] |