[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NULL Pointer Dereference in unsetcmd() at inetutils/telnet/commands.
From: |
Erik Auerswald |
Subject: |
Re: NULL Pointer Dereference in unsetcmd() at inetutils/telnet/commands.c:1227 |
Date: |
Fri, 11 Feb 2022 14:38:45 +0100 |
User-agent: |
Mutt/1.5.21 (2010-09-15) |
Hi,
On Thu, Feb 10, 2022 at 07:56:28PM +0100, Erik Auerswald wrote:
> On Thu, Dec 23, 2021 at 09:17:45PM +0800, AiDai wrote:
> > # NULL Pointer Dereference in unsetcmd() at inetutils/telnet/commands.c:1227
> >
> > ## Description
> >
> > A NULL Pointer Dereference was discovered in unsetcmd() at
> > inetutils/telnet/commands.c:1227. The vulnerability causes a segmentation
> > fault and application crash.
>
> This happens when the "unset" command is used with a single space as
> argument, because the "Setlist" contains entries for empty lines that use
> a single space as key, but the setlist.handler is 0 and the setlist.charp
> is NULL:
>
> {" ", "", 0, NULL},
>
> There are several (identical) such entries, but since the " " entry is
> matched exactly, isprefix() does not return an ambiguous match, but an
> exact match.
^--- of the first such entry
The Setlist table contains comment lines with " " as name, too.
It might be a good idea to not match any table entry in genget() when
the name is a single space (" ").
It could be useful to change isprefix() to not exit early on the
first exact match, and thus return "&ambiguous" when trying to match a
duplicated name. This would have prevented this specific NULL pointer
dereference, because there is more than one empty and/or comment line,
i.e., with a name of " ", in the respective table. It would help against
accidentally adding two entries to a table, too. But it would not guard
against matching the single "empty line" in the Togglelist table.
Thanks,
Erik
--
[M]ost parts of this industry just work by chance.
-- Thomas Gleixner