Description: Fix remote DoS vulnerability in inetutils-telnetd
 This is caused by a crash by a NULL pointer dereference when sending the
 byte sequences «0xff 0xf7» or «0xff 0xf8».
Authors:
 Pierre Kim (original patch),
 Alexandre Torres (original patch),
 Erik Auerswald <auerswal@unix-ag.uni-kl.de> (adapted patch),
Reviewed-by: Erik Auerswald <auerswal@unix-ag.uni-kl.de>
Origin: upstream
Ref: https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html
Forwarded: https://lists.gnu.org/archive/html/bug-inetutils/2022-08/msg00002.html
Last-Update: 2022-08-28

---
 telnetd/state.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/telnetd/state.c b/telnetd/state.c
index 0dc61a2..befc9d0 100644
--- a/telnetd/state.c
+++ b/telnetd/state.c
@@ -206,12 +206,20 @@ void telrcv(void) {
 	      case EC:
 	      case EL:
 		 {
-		     cc_t ch;
+		     cc_t ch = (cc_t) (_POSIX_VDISABLE);
 		     DIAG(TD_OPTIONS, printoption("td: recv IAC", c));
 		     ptyflush();	/* half-hearted */
 		     init_termbuf();
-		     if (c == EC) ch = *slctab[SLC_EC].sptr;
-		     else ch = *slctab[SLC_EL].sptr;
+		     if (c == EC) 
+		     {
+		         if (slctab[SLC_EC].sptr)
+				ch = *slctab[SLC_EC].sptr;
+		     }
+		     else
+		     {
+		         if (slctab[SLC_EL].sptr)
+				ch = *slctab[SLC_EL].sptr;
+		     }
 		     if (ch != (cc_t)(_POSIX_VDISABLE))
 			 *pfrontp++ = (unsigned char)ch;
 		     break;
-- 
2.33.0