Hi, On 12.02.22 20:53, Erik Auerswald wrote:
the function "genget()" in the file "libtelnet/genget.c" does not detect duplicated table entries. Instead it returns the first entry as an "exact match". Checking for duplicated command names instead of exiting early on an exact match would have masked the NULL pointer dereference bugs in setcmd() and unsetcmd(). As such it could be interpreted as making the code more robust. The attached "inetutils-libtelnet-genget-reject_duplicate_commands.patch" implements duplicate table entry name detection by removing the early exit on exact match.
This patch would introduce an unintended limitation: It would no longer be possible to have two keys where one is a prefix of the other. I am not aware of any instance of this in the current code, but then I have not audited it for this possibility. If less ancient cryptographic methods were ever added to telnet, it might be useful to allow such keys (e.g., "aes" and "aes256", or "sha3" and "sha384"). Thus I'd say that only two exact matches should be rejected. A single exact match should still override an incomplete match. This would require to add some code, not only to remove two lines as done in the patch. Therefore I'd suggest to ignore this patch. Thanks, Erik