Hi, On Sat, Dec 25, 2021 at 12:19:28PM +0800, ZFeiXQ wrote: > ## Description > > A NULL Pointer Dereference was discovered in setcmd () at commands.c:1152. > The vulnerability causes a segmentation fault and application crash.
Thanks for fuzzing GNU inetutils! > ## Proof of Concept > [POC1](https://drive.google.com/file/d/1snLElamVgMu5SO1vkKvSQqOByBlX0zxb/view?usp=sharing) > > **command:** > > ``` > ./telnet < POC1 > ``` > > **Result** > > ``` > ./telnet < POC1 > [1] 728662 segmentation fault ./telnet < ./poc > ``` This is the same kind of problem as with unsetcmd(), but now in setcmd(). Attempting to set " " to something unconditionally follows ct->charp, but the relevant table "Setlist" contains several entries with name " ", but neither a valid ct->handler nor a valid ct->charp (i.e., empty lines and comment lines): $ telnet/telnet telnet> set \ whatever Segmentation fault (core dumped) The attached patch "inetutils-telnet-set_null_deref_fix.patch" fixes this by rejecting a set argument with neither ct->handler nor ct->charp. Thanks, Erik -- In the beginning, there was static routing. -- RFC 1118
diff --git a/telnet/commands.c b/telnet/commands.c index 9e04944f..072bba62 100644 --- a/telnet/commands.c +++ b/telnet/commands.c @@ -1136,6 +1136,11 @@ setcmd (int argc, char *argv[]) (*ct->handler) (argv[2]); printf ("%s set to \"%s\".\n", ct->name, (char *) ct->charp); } + else if (!ct->charp) + { + fprintf (stderr, "'%s': invalid argument ('set ?' for help).\n", + argv[1]); + } else { if (strcmp ("off", argv[2]))