On Thu, Jun 22, 2017 at 04:18:56AM -0400, Alfred M. Szmidt wrote:
> None of the discovered issues are exploitable; however the analysis
> below should provide enough information to fix them.
>
> Would you like to submit patches that fixes these issues?
Hi Alfred,
Please find the patches against inetutils v1.9.4 attached to this
mail. I've tried to make as little change as possible. Please review.
Thanks,
Peter
--
Best Regards,
Peter Kasza
http://www.itinsight.hu
peter.ka...@itinsight.hu
() ascii ribbon campaign - against html e-mail
/\ www.asciiribbon.org - against proprietary attachments
>From 4aad53ba2fd443da8d9bcae9816bf719438095a5 Mon Sep 17 00:00:00 2001
From: Peter Kasza <peter.ka...@itinsight.hu>
Date: Fri, 23 Jun 2017 21:14:32 +0200
Subject: [PATCH 1/3] check arg count in makeargv to fix buffer overflow
---
telnet/commands.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/telnet/commands.c b/telnet/commands.c
index cd0c75a..57e33c2 100644
--- a/telnet/commands.c
+++ b/telnet/commands.c
@@ -113,6 +113,8 @@
# include <netinet/ip.h>
#endif
+#define TELNET_MAX_ARGS 20
+
char *hostname = 0;
extern char *getenv (const char *);
@@ -135,7 +137,7 @@ typedef struct
static char line[256];
static char saveline[256];
static int margc;
-static char *margv[20];
+static char *margv[TELNET_MAX_ARGS];
static void
makeargv (void)
@@ -152,7 +154,7 @@ makeargv (void)
margc++;
cp++;
}
- while ((c = *cp))
+ while ((c = *cp) && (margc < TELNET_MAX_ARGS - 1))
{
register int inquote = 0;
while (isspace (c))
--
2.13.1
>From 7e65520a544c08295f0c52b8ae3eb490b2482af1 Mon Sep 17 00:00:00 2001
From: Peter Kasza <peter.ka...@itinsight.hu>
Date: Fri, 23 Jun 2017 21:46:17 +0200
Subject: [PATCH 2/3] fix segfault in unsetcmd when getting a single space as
an argument
---
telnet/commands.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/telnet/commands.c b/telnet/commands.c
index 57e33c2..8145637 100644
--- a/telnet/commands.c
+++ b/telnet/commands.c
@@ -1184,7 +1184,7 @@ unsetcmd (int argc, char *argv[])
{
name = *argv++;
ct = getset (name);
- if (ct == 0)
+ if (ct == 0 || (!Ambiguous(ct) && ct->handler == 0 && ct->charp == 0))
{
c = GETTOGGLE (name);
if (c == 0)
--
2.13.1
>From a5fa93ae5d404ba8f411b04b32cea600945c8f6e Mon Sep 17 00:00:00 2001
From: Peter Kasza <peter.ka...@itinsight.hu>
Date: Fri, 23 Jun 2017 21:48:18 +0200
Subject: [PATCH 3/3] fix segfault when fetching help message for help
---
telnet/commands.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/telnet/commands.c b/telnet/commands.c
index 8145637..1162756 100644
--- a/telnet/commands.c
+++ b/telnet/commands.c
@@ -2901,7 +2901,7 @@ static char crmodhelp[] = "deprecated command -- use 'toggle crmod' instead";
static char escapehelp[] = "deprecated command -- use 'set escape' instead";
static Command cmdtab2[] = {
- {"help", 0, help, 0},
+ {"help", helphelp, help, 0},
{"escape", escapehelp, setescape, 0},
{"crmod", crmodhelp, togcrmod, 0},
{NULL, NULL, NULL, 0}
--
2.13.1
