Re: Bug in telnet from inetutils-2.2: Insufficient buffer space for longish DISPLAY names

[Erik Auerswald]

Hi,

On 01.02.22 10:01, Erik Auerswald wrote:

I am a colleague of Joerg and could reproduce the bug on Ubuntu GNU/Linux
with a freshly built telnet client from GNU inetutils 2.2:
[...]
Thus the second hunk of the diff sent by Joerg is the actual bug fix,
i.e., retracting use of the X Display Location option.

To fix the bug, you can just copy line 1007 of telnet/telnet.c to
somewhere after line 1017, but before (current) line 1019, to treat
this error of a too long DISPLAY variable value similar to somehow
losing the DISPLAY variable after announcing to send the "X Display
Location" option.  The problem is similar, i.e., the telnet client
tells the server that it will send this option, but then detects
that it cannot do so.  Thus the solution should be similar, i.e.,
retracting use of the option and optionally emitting an error message.

I would be quite surprised if this description of the bug fix would
be copyrightable.

Anyway, a patch that not only fixes the problem, but also adjusts
the respective comment describing the problem and its solution,
and makes the error message more specific, is attached.

The diffstat looks as follows:

    $ diffstat inetutils-telnet-fix_too_long_DISPLAY_handling.patch
     telnet.c |    6 ++++--
     1 file changed, 4 insertions(+), 2 deletions(-)

Please let me know if you would like to use this patch, but would
first require me to complete copyright assignment paperwork.

Of course you can use Jörg's patch or write your own instead.

Best regards,
Erik

P.S. Please keep me in Cc: as I am not subscribed to this mailing list.
diff -Naur inetutils-2.2.orig/telnet/telnet.c inetutils-2.2.changed/telnet/telnet.c
--- inetutils-2.2.orig/telnet/telnet.c	2021-05-25 17:54:19.000000000 +0200
+++ inetutils-2.2.changed/telnet/telnet.c	2022-02-05 16:31:43.474464119 +0100
@@ -1011,11 +1011,13 @@
 	  /* Remote host, and display server must not be corrupted
 	   * by truncation.  In addition, every character of telnet
 	   * protocol must remain unsevered.  Check that DP fits in
-	   * full within TEMP.  Otherwise report buffer error.
+	   * full within TEMP.  Otherwise report buffer error and
+	   * turn off the option.
 	   */
 	  if (strlen ((char *) dp) >= sizeof (temp) - 4 - 2)
 	    {
-	      printf ("lm_will: not enough room in buffer\n");
+	      printf ("lm_will: not enough room in buffer for DISPLAY\n");
+	      send_wont (TELOPT_XDISPLOC, 1);
 	      break;
 	    }