[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug-inetutils] Buffer overflow for gnu inetutils telnetd
|
From: |
Chris Severance |
|
Subject: |
[bug-inetutils] Buffer overflow for gnu inetutils telnetd |
|
Date: |
Wed, 03 May 2017 22:25:16 -0400 |
https://aur.archlinux.org/packages/inetutils-git/
2017-02-21 18:50 Mats Erik Andersson o telnetd: Debugging of line mode
options.
9db2d39777f8d37496265fc732e640a2ea0c9a29
This new code is causing a buffer overflow. I can immediately see that
char data[6] doesn't include space for the trailing \0. I tried boosting
to "char data[1000]" and that stopped the overflow but then it output
junk characters in place of the OS greeting.
Fortunately something shovels the backtrace through the telnet
connection before terminating.
% telnet 192.168.50.25
Trying 192.168.50.25...
Connected to 192.168.50.25.
Escape character is '^]'.
*** buffer overflow detected ***: /usr/bin/telnetd terminated
======= Backtrace: =========
/usr/lib/libc.so.6(+0x722ab)[0x7f2bfc5e92ab]
/usr/lib/libc.so.6(__fortify_fail+0x37)[0x7f2bfc674407]
/usr/lib/libc.so.6(+0xfb330)[0x7f2bfc672330]
/usr/lib/libc.so.6(+0xfa819)[0x7f2bfc671819]
/usr/lib/libc.so.6(_IO_vfprintf+0x2a70)[0x7f2bfc5c2280]
/usr/lib/libc.so.6(__vsprintf_chk+0x9f)[0x7f2bfc6718bf]
/usr/lib/libc.so.6(__sprintf_chk+0x8a)[0x7f2bfc6717ea]
/usr/bin/telnetd(clientstat+0x10e)[0x40b2de]
/usr/bin/telnetd(telrcv+0x197)[0x40a6b7]
/usr/bin/telnetd(io_drain+0xef)[0x4078df]
/usr/bin/telnetd(getterminaltype+0x75)[0x407a35]
/usr/bin/telnetd[0x405d25]
/usr/bin/telnetd(main+0x88)[0x404ed8]
/usr/lib/libc.so.6(__libc_start_main+0xf1)[0x7f2bfc597511]
/usr/bin/telnetd(_start+0x2a)[0x404f2a]
- [bug-inetutils] Buffer overflow for gnu inetutils telnetd,
Chris Severance <=