[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NULL Pointer Dereference in setcmd () at commands.c:1152
|
From: |
Erik Auerswald |
|
Subject: |
Re: NULL Pointer Dereference in setcmd () at commands.c:1152 |
|
Date: |
Sat, 12 Feb 2022 20:43:35 +0100 |
|
User-agent: |
Mutt/1.5.21 (2010-09-15) |
Hi,
On Sat, Dec 25, 2021 at 12:19:28PM +0800, ZFeiXQ wrote:
> ## Description
>
> A NULL Pointer Dereference was discovered in setcmd () at commands.c:1152.
> The vulnerability causes a segmentation fault and application crash.
Thanks for fuzzing GNU inetutils!
> ## Proof of Concept
> [POC1](https://drive.google.com/file/d/1snLElamVgMu5SO1vkKvSQqOByBlX0zxb/view?usp=sharing)
>
> **command:**
>
> ```
> ./telnet < POC1
> ```
>
> **Result**
>
> ```
> ./telnet < POC1
> [1] 728662 segmentation fault ./telnet < ./poc
> ```
This is the same kind of problem as with unsetcmd(), but now in setcmd().
Attempting to set " " to something unconditionally follows ct->charp, but
the relevant table "Setlist" contains several entries with name " ", but
neither a valid ct->handler nor a valid ct->charp (i.e., empty lines and
comment lines):
$ telnet/telnet
telnet> set \ whatever
Segmentation fault (core dumped)
The attached patch "inetutils-telnet-set_null_deref_fix.patch" fixes this
by rejecting a set argument with neither ct->handler nor ct->charp.
Thanks,
Erik
--
In the beginning, there was static routing.
-- RFC 1118
inetutils-telnet-set_null_deref_fix.patch
Description: Text Data
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: NULL Pointer Dereference in setcmd () at commands.c:1152,
Erik Auerswald <=