[bug-inetutils] telnetd bug: Buffer overflow when linked against GNU ter

bug-inetutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug-inetutils] telnetd bug: Buffer overflow when linked against GNU ter

From:	Petr Malát
Subject:	[bug-inetutils] telnetd bug: Buffer overflow when linked against GNU termcap
Date:	Thu, 23 Aug 2012 20:28:13 +0200

Hi,
I found a problem in terminaltypeok() function, which calls tgetent()
with 1kB buffer. This is fine, if telnetd is linked against ncurses,
but if it is linked against GNU termcap, there is a buffer overflow
for xterm (and maybe other) terminal type, which requires 2030 bytes
and telnetd crashes. Documentation of GNU termcap proposes making this
buffer 2kB (see
http://www.gnu.org/software/termutils/manual/termcap-1.3/html_mono/termcap.html#SEC4).

I hope this is my last telnet issue :-)
  Petr


--- telnetd/utility.c   2012-08-23 20:20:41.000000000 +0200
+++ telnetd/utility.c     2012-08-23 20:22:19.540859145 +0200
@@ -843,7 +843,7 @@ getterminaltype (char *user_name)
 int
 terminaltypeok (char *s)
 {
-  char buf[1024];
+  char buf[2048];

   if (terminaltype == NULL)
     return 1;

[Prev in Thread]

Current Thread

[Next in Thread]

[bug-inetutils] telnetd bug: Buffer overflow when linked against GNU termcap, Petr Malát <=
- Re: [bug-inetutils] telnetd bug: Buffer overflow when linked against GNU termcap, Simon Josefsson, 2012/08/24

Prev by Date: Re: [bug-inetutils] telnetd bug: Busy loop in io_drain can be abused for DOS attack
Next by Date: Re: [bug-inetutils] telnetd bug: Busy loop in io_drain can be abused for DOS attack
Previous by thread: [bug-inetutils] telnetd bug: Busy loop in io_drain can be abused for DOS attack
Next by thread: Re: [bug-inetutils] telnetd bug: Buffer overflow when linked against GNU termcap
Index(es):
- Date
- Thread