[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug][Patch] Buffer overflow in function makeargv() in telnet/commands.c
From: |
Erik Auerswald |
Subject: |
[Bug][Patch] Buffer overflow in function makeargv() in telnet/commands.c |
Date: |
Sat, 19 Feb 2022 20:21:23 +0100 |
User-agent: |
Mutt/1.5.21 (2010-09-15) |
Hi,
the function makeargv() in telnet/commands.c is used to build an array of
arguments for command invocation. This array has a fixed size of 20. The
entry after the last argument is set to 0. Thus the array can take up to
19 arguments. But there is no check if there are more than 19 arguments.
The "help" command takes an arbitrary number of arguments and prints the
help text of each argument that matches a command:
$ telnet/telnet
telnet> help z ! ?
suspend telnet
invoke a subshell
print help information
telnet> q
$
This works fine for up to 18 arguments to the "help" command, i.e., up to
19 arguments with a terminating "0" entry in the *margv[20] array:
$ telnet/telnet
telnet> help z ! ? z ! ? z ! ? z ! ? z ! ? z ! ?
suspend telnet
invoke a subshell
print help information
suspend telnet
invoke a subshell
print help information
suspend telnet
invoke a subshell
print help information
suspend telnet
invoke a subshell
print help information
suspend telnet
invoke a subshell
print help information
suspend telnet
invoke a subshell
print help information
telnet> q
$
Adding another argument overflows the *margv[20] array by one entry. This
writes a 0 right after the array. At least on my system (Ubuntu GNU/Linux
18.04.06 LTS with gcc 7.5.0) this overwrites the margc variable, setting it
to 0. Thus no help text is printed:
$ telnet/telnet
telnet> help z ! ? z ! ? z ! ? z ! ? z ! ? z ! ? z
telnet> q
$
Adding another argument results in a higher value for margc. This results
in reading past the end of the *margv[20] array, leading to a segmentation
fault:
$ telnet/telnet
telnet> help z ! ? z ! ? z ! ? z ! ? z ! ? z ! ? z !
suspend telnet
invoke a subshell
print help information
suspend telnet
invoke a subshell
print help information
suspend telnet
invoke a subshell
print help information
suspend telnet
invoke a subshell
print help information
suspend telnet
invoke a subshell
print help information
suspend telnet
invoke a subshell
print help information
suspend telnet
Segmentation fault (core dumped)
$
The attached patch fixes this.
HTH,
Erik
--
Reality is that which, when you stop believing in it, doesn't go away.
-- Philip K. Dick
inetutils-telnet-prevent_margv_overflow.patch
Description: Text Data
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Bug][Patch] Buffer overflow in function makeargv() in telnet/commands.c,
Erik Auerswald <=