Telnet client: not properly handling IAC bytes within subnegotiation messages
-----------------------------------------------------------------------------
Key: NET-345
URL: https://issues.apache.org/jira/browse/NET-345
Project: Commons Net
Issue Type: Bug
Components: Telnet
Affects Versions: 2.0
Reporter: Archie Cobbs
Attachments: patch3.txt
Subnegotiation messages in telnet are sent using the sequence {{IAC SB ... IAC
SE}}.
Although it's not clearly spelled out in [RFC
854|http://tools.ietf.org/html/rfc854], any {{IAC}} ({{0xff}}) bytes inside
these messages must be escaped by doubling. Other clients do this and this is
the only behavior that makes sense.
The commons-net telnet client is failing both to escape and to unescape {{IAC}}
bytes within subnegotiation messages. Moreover, if it does receive a valid
{{IAC IAC}} sequence within a subnegotiation message, it will incorrectly jump
back to "data" input mode, discarding the message and introducing its remainder
as garbage in the data stream.
In addition, the code fails to check for an overflow of the subnegotiation
buffer, which would cause an {{ArrayIndexOutOfBounds}} exception if a malicious
peer triggered this condition.
Finally, a {{IAC SE}} sequence appearing by itself should probably be
discarded, rather than passing as a command to the handler.
I'm attaching a patch to fix these issues.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
