49 lines
1.5 KiB
Diff
49 lines
1.5 KiB
Diff
|
Description: Fix remote DoS vulnerability in inetutils-telnetd
|
||
|
|
This is caused by a crash by a NULL pointer dereference when sending the
|
||
|
|
byte sequences «0xff 0xf7» or «0xff 0xf8».
|
||
|
|
Authors:
|
||
|
|
Pierre Kim (original patch),
|
||
|
|
Alexandre Torres (original patch),
|
||
|
|
Erik Auerswald <auerswal@unix-ag.uni-kl.de> (adapted patch),
|
||
|
|
Reviewed-by: Erik Auerswald <auerswal@unix-ag.uni-kl.de>
|
||
|
|
Origin: upstream
|
||
|
|
Ref: https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html
|
||
|
|
Forwarded: https://lists.gnu.org/archive/html/bug-inetutils/2022-08/msg00002.html
|
||
|
|
Last-Update: 2022-08-28
|
||
|
|
|
||
|
|
---
|
||
|
|
telnetd/state.c | 14 +++++++++++---
|
||
|
|
1 file changed, 11 insertions(+), 3 deletions(-)
|
||
|
|
|
||
|
|
diff --git a/telnetd/state.c b/telnetd/state.c
|
||
|
|
index 0dc61a2..befc9d0 100644
|
||
|
|
--- a/telnetd/state.c
|
||
|
|
+++ b/telnetd/state.c
|
||
|
|
@@ -206,12 +206,20 @@ void telrcv(void) {
|
||
|
|
case EC:
|
||
|
|
case EL:
|
||
|
|
{
|
||
|
|
- cc_t ch;
|
||
|
|
+ cc_t ch = (cc_t) (_POSIX_VDISABLE);
|
||
|
|
DIAG(TD_OPTIONS, printoption("td: recv IAC", c));
|
||
|
|
ptyflush(); /* half-hearted */
|
||
|
|
init_termbuf();
|
||
|
|
- if (c == EC) ch = *slctab[SLC_EC].sptr;
|
||
|
|
- else ch = *slctab[SLC_EL].sptr;
|
||
|
|
+ if (c == EC)
|
||
|
|
+ {
|
||
|
|
+ if (slctab[SLC_EC].sptr)
|
||
|
|
+ ch = *slctab[SLC_EC].sptr;
|
||
|
|
+ }
|
||
|
|
+ else
|
||
|
|
+ {
|
||
|
|
+ if (slctab[SLC_EL].sptr)
|
||
|
|
+ ch = *slctab[SLC_EL].sptr;
|
||
|
|
+ }
|
||
|
|
if (ch != (cc_t)(_POSIX_VDISABLE))
|
||
|
|
*pfrontp++ = (unsigned char)ch;
|
||
|
|
break;
|
||
|
|
--
|
||
|
|
2.33.0
|
||
|
|
|