임준혁 via Bug reports for the GNU Internet utilities <[email protected]> writes:
> The client appends LINEMODE SLC reply triplets to the fixed 128-byte global > buffer `slc_reply` through `slc_replyp`, without checking the remaining > space: > > telnet/telnet.c:1484-1489, slc_add_reply() > > A malicious or impersonated Telnet server can negotiate LINEMODE and send an > oversized SLC suboption. For `func > NSLC` with supported SLC level bits, > `slc()` repeatedly calls: > > slc_add_reply (func, SLC_NOSUPPORT, 0); > > This overflows `slc_reply[128]`. `slc_end_reply()` also writes its final > `IAC SE` bytes without a bound check and derives the network reply length > from the potentially corrupted cursor. Thanks for your analysis and report! Seems reasonable. I've pushed: https://codeberg.org/inetutils/inetutils/commit/27ef59f916ff26cc14fe63743d9b7a3dd49937cb It would be great if you could confirm this resolve this problem? How did you find this? Were tools (e.g., LLMs) used, if so which one? It would be great if we could add a test harness that would trigger these bugs in an ASAN build, to have further confidence that patches actually solve some identified problem. It shouldn't be hard to write, but getting it run predictable and without flaky errors on all platforms is probably more challenging. /Simon
signature.asc
Description: PGP signature
