Hi,
On Sat, Dec 25, 2021 at 12:19:28PM +0800, ZFeiXQ wrote:
> ## Description
>
> A NULL Pointer Dereference was discovered in setcmd () at commands.c:1152.
> The vulnerability causes a segmentation fault and application crash.
Thanks for fuzzing GNU inetutils!
> ## Proof of Concept
> [POC1](https://drive.google.com/file/d/1snLElamVgMu5SO1vkKvSQqOByBlX0zxb/view?usp=sharing)
>
> **command:**
>
> ```
> ./telnet < POC1
> ```
>
> **Result**
>
> ```
> ./telnet < POC1
> [1] 728662 segmentation fault ./telnet < ./poc
> ```
This is the same kind of problem as with unsetcmd(), but now in setcmd().
Attempting to set " " to something unconditionally follows ct->charp, but
the relevant table "Setlist" contains several entries with name " ", but
neither a valid ct->handler nor a valid ct->charp (i.e., empty lines and
comment lines):
$ telnet/telnet
telnet> set \ whatever
Segmentation fault (core dumped)
The attached patch "inetutils-telnet-set_null_deref_fix.patch" fixes this
by rejecting a set argument with neither ct->handler nor ct->charp.
Thanks,
Erik
--
In the beginning, there was static routing.
-- RFC 1118
diff --git a/telnet/commands.c b/telnet/commands.c
index 9e04944f..072bba62 100644
--- a/telnet/commands.c
+++ b/telnet/commands.c
@@ -1136,6 +1136,11 @@ setcmd (int argc, char *argv[])
(*ct->handler) (argv[2]);
printf ("%s set to \"%s\".\n", ct->name, (char *) ct->charp);
}
+ else if (!ct->charp)
+ {
+ fprintf (stderr, "'%s': invalid argument ('set ?' for help).\n",
+ argv[1]);
+ }
else
{
if (strcmp ("off", argv[2]))
