bug-inetutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [bug-inetutils] telnet (GNU inetutils) 1.7 cmdrc() local buffer over


From: Giuseppe Scrivano
Subject: Re: [bug-inetutils] telnet (GNU inetutils) 1.7 cmdrc() local buffer overflow hole
Date: Mon, 28 Dec 2009 00:54:39 +0100
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/23.1.90 (gnu/linux)

Hello,

Thank you for your bug report.  The patch can't be applied as it is,
because on GNU there are no restrictions on the file name length, the
original code was broken twice.

I attached a version that uses a dinamically allocated buffer, ok to
push?

Cheers,
Giuseppe



王智通 <address@hidden> writes:
> Dear, all:
>  
>    I download gnu telnet code from 
> http://ftp.gnu.org/gnu/inetutils/inetutils-1.7.tar.gz. In the telnet code in 
> commands.c,
> I found this function has a local buffer overflow bug, see:
>  
> Commands.c:
>  
> static char *rcname = 0;
> static char rcbuf[128];
>  
> static void
> cmdrc (char *m1, char *m2)
> {
>   if (rcname == 0)
>     {
>    rcname = getenv ("HOME");   // when the getenv()  get the HOME environment 
> value, It not test the length of the value, and then copy it to the rcbuf. If 
> the length is too long(>128), it will cause a buffer overflow.
>       if (rcname)
>          strcpy (rcbuf, rcname);
>       else
>          rcbuf[0] = '\0';
>       strcat (rcbuf, "/.telnetrc");
>       rcname = rcbuf;
> }
>  
> You can test it with:
>  
> Export 
> HOME=”aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa”
>  
> ./telnet localhost 22
>  
> My terminal has crashed.
>  
> And my patch is:
>  
> diff -Nur inetutils-1.7/telnet/commands.c inetutils-1.7-new/telnet/commands.c
> --- inetutils-1.7/telnet/commands.c     2009-12-14 19:36:17.000000000 +0800
> +++ inetutils-1.7-new/telnet/commands.c 2009-12-27 19:02:44.000000000 +0800
> @@ -3029,6 +3029,8 @@
>    if (rcname == 0)
>      {
>        rcname = getenv ("HOME");
> +      if (strlen(rcname) > 128)
> +        return ;
>        if (rcname)
>         strcpy (rcbuf, rcname);
>        else



>From db9cb96d650cc9583f7347ba1102713cb7b46c16 Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <address@hidden>
Date: Mon, 28 Dec 2009 00:45:49 +0100
Subject: [PATCH] Fix a buffer overflow in telnet when $HOME is longer than 128 
bytes

---
 ChangeLog         |    7 +++++++
 bootstrap.conf    |    1 +
 lib/.gitignore    |    5 +++++
 telnet/commands.c |   14 +++++++-------
 4 files changed, 20 insertions(+), 7 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index bcb67d6..9b70c2a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2009-12-28  Giuseppe Scrivano  <address@hidden>
+       Reported by: Zhitong Wangzt <address@hidden>
+
+       * bootstrap.conf (gnulib_modules): Add `xvasprintf'.
+       * telnet/commands.c (cmdrc): Alloc `rcname' dinamically.
+       (rcbuf): Remove.
+
 2009-12-19  Alfred M. Szmidt  <address@hidden>
 
        * configure.ac: Bump version number to 1.7.90.
diff --git a/bootstrap.conf b/bootstrap.conf
index ba67bc6..43e7a0c 100644
--- a/bootstrap.conf
+++ b/bootstrap.conf
@@ -78,6 +78,7 @@ xgetcwd
 xgetdomainname
 xgethostname
 xsize
+xvasprintf
 "
 
 # Read local configuration file
diff --git a/lib/.gitignore b/lib/.gitignore
index c76a7a5..c47b0b9 100644
--- a/lib/.gitignore
+++ b/lib/.gitignore
@@ -18,6 +18,7 @@ argp-version-etc.h
 argp-xinl.c
 argp.h
 asnprintf.c
+asprintf.c
 at-func.c
 basename-lgpl.c
 basename.c
@@ -225,6 +226,7 @@ unlinkat.c
 unlocked-io.h
 vasnprintf.c
 vasnprintf.h
+vasprintf.c
 verify.h
 version-etc-fsf.c
 version-etc.c
@@ -238,6 +240,7 @@ wctype.h
 wctype.in.h
 xalloc-die.c
 xalloc.h
+xasprintf.c
 xgetcwd.c
 xgetcwd.h
 xgetdomainname.c
@@ -248,3 +251,5 @@ xmalloc.c
 xsize.h
 xstrndup.c
 xstrndup.h
+xvasprintf.c
+xvasprintf.h
diff --git a/telnet/commands.c b/telnet/commands.c
index aeb684a..8ac6758 100644
--- a/telnet/commands.c
+++ b/telnet/commands.c
@@ -97,6 +97,9 @@
 #include "defines.h"
 #include "types.h"
 
+#include "xalloc.h"
+#include "xvasprintf.h"
+
 #if !defined(CRAY) && !defined(sysV88)
 # ifdef HAVE_NETINET_IN_SYSTM_H
 #  include <netinet/in_systm.h>
@@ -3008,7 +3011,6 @@ help (int argc, char *argv[])
 }
 
 static char *rcname = 0;
-static char rcbuf[128];
 
 static void
 cmdrc (char *m1, char *m2)
@@ -3028,13 +3030,11 @@ cmdrc (char *m1, char *m2)
 
   if (rcname == 0)
     {
-      rcname = getenv ("HOME");
-      if (rcname)
-       strcpy (rcbuf, rcname);
+      const char *home = getenv ("HOME");
+      if (home)
+        rcname = xasprintf ("%s/.telnetrc", home);
       else
-       rcbuf[0] = '\0';
-      strcat (rcbuf, "/.telnetrc");
-      rcname = rcbuf;
+        rcname = xstrdup ("/.telnetrc");
     }
 
   if ((rcfile = fopen (rcname, "r")) == 0)
-- 
1.6.5





reply via email to

[Prev in Thread] Current Thread [Next in Thread]