Hi, On Thu, Feb 10, 2022 at 07:56:28PM +0100, Erik Auerswald wrote: > On Thu, Dec 23, 2021 at 09:17:45PM +0800, AiDai wrote: > > # NULL Pointer Dereference in unsetcmd() at inetutils/telnet/commands.c:1227 > > > > ## Description > > > > A NULL Pointer Dereference was discovered in unsetcmd() at > > inetutils/telnet/commands.c:1227. The vulnerability causes a segmentation > > fault and application crash. > > This happens when the "unset" command is used with a single space as > argument, because the "Setlist" contains entries for empty lines that use > a single space as key, but the setlist.handler is 0 and the setlist.charp > is NULL: > > {" ", "", 0, NULL}, > > There are several (identical) such entries, but since the " " entry is > matched exactly, isprefix() does not return an ambiguous match, but an > exact match. ^--- of the first such entry
The Setlist table contains comment lines with " " as name, too. It might be a good idea to not match any table entry in genget() when the name is a single space (" "). It could be useful to change isprefix() to not exit early on the first exact match, and thus return "&ambiguous" when trying to match a duplicated name. This would have prevented this specific NULL pointer dereference, because there is more than one empty and/or comment line, i.e., with a name of " ", in the respective table. It would help against accidentally adding two entries to a table, too. But it would not guard against matching the single "empty line" in the Togglelist table. Thanks, Erik -- [M]ost parts of this industry just work by chance. -- Thomas Gleixner