On Mon, Jul 20, 2020 at 3:27 PM Julius Hemanth Pitti <[email protected]> wrote: > > netoprintf() was not handling a case where > return value of vsnprintf is greater than > "size"(2nd argument), results in buffer overflow > while adjusting "nfrontp" pointer to point > beyond "netobuf" buffer. > > Here is one such case where "nfrontp" > crossed boundaries of "netobuf", and > pointing to another global variable. > > (gdb) p &netobuf[8255] > $5 = 0x55c93afe8b1f <netobuf+8255> "" > (gdb) p nfrontp > $6 = 0x55c93afe8c20 <terminaltype> "\377" > (gdb) p &terminaltype > $7 = (char **) 0x55c93afe8c20 <terminaltype> > (gdb) > > This resulted in crash of telnetd service > with segmentation fault. >
it seems like one. Can you also reproduce it with something like fedora ? > Signed-off-by: Julius Hemanth Pitti <[email protected]> > --- > ....c-Fix-buffer-overflow-in-netoprintf.patch | 56 +++++++++++++++++++ > .../netkit-telnet/netkit-telnet_0.17.bb | 1 + > 2 files changed, 57 insertions(+) > create mode 100644 > meta-networking/recipes-netkit/netkit-telnet/files/0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch > > diff --git > a/meta-networking/recipes-netkit/netkit-telnet/files/0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch > > b/meta-networking/recipes-netkit/netkit-telnet/files/0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch > new file mode 100644 > index 000000000..8f983e40a > --- /dev/null > +++ > b/meta-networking/recipes-netkit/netkit-telnet/files/0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch > @@ -0,0 +1,56 @@ > +From 9c81c8e5bc7782e8ae12c078615abc3c896059f2 Mon Sep 17 00:00:00 2001 > +From: Julius Hemanth Pitti <[email protected]> > +Date: Tue, 14 Jul 2020 22:34:19 -0700 > +Subject: [PATCH] telnetd/utility.c: Fix buffer overflow in netoprintf > + > +As per man page of vsnprintf, when formated > +string size is greater than "size"(2nd argument), > +then vsnprintf returns size of formated string, > +not "size"(2nd argument). > + > +netoprintf() was not handling a case where > +return value of vsnprintf is greater than > +"size"(2nd argument), results in buffer overflow > +while adjusting "nfrontp" pointer to point > +beyond "netobuf" buffer. > + > +Here is one such case where "nfrontp" > +crossed boundaries of "netobuf", and > +pointing to another global variable. > + > +(gdb) p &netobuf[8255] > +$5 = 0x55c93afe8b1f <netobuf+8255> "" > +(gdb) p nfrontp > +$6 = 0x55c93afe8c20 <terminaltype> "\377" > +(gdb) p &terminaltype > +$7 = (char **) 0x55c93afe8c20 <terminaltype> > +(gdb) > + > +This resulted in crash of telnetd service > +with segmentation fault. > + > +Though this is DoS security bug, I couldn't > +find any CVE ID for this. > + > +Upstream-Status: Pending > + > +Signed-off-by: Julius Hemanth Pitti <[email protected]> > +--- > + telnetd/utility.c | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/telnetd/utility.c b/telnetd/utility.c > +index b9a46a6..4811f14 100644 > +--- a/telnetd/utility.c > ++++ b/telnetd/utility.c > +@@ -66,7 +66,7 @@ netoprintf(const char *fmt, ...) > + len = vsnprintf(nfrontp, maxsize, fmt, ap); > + va_end(ap); > + > +- if (len<0 || len==maxsize) { > ++ if (len<0 || len>=maxsize) { > + /* didn't fit */ > + netflush(); > + } > +-- > +2.19.1 > diff --git > a/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb > b/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb > index 0e92add63..08dd532b6 100644 > --- a/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb > +++ b/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb > @@ -13,6 +13,7 @@ SRC_URI = > "http://ftp.linux.org.uk/pub/linux/Networking/netkit/${BP}.tar.gz \ > file://0001-telnet-telnetd-Fix-print-format-strings.patch \ > file://0001-telnet-telnetd-Fix-deadlock-on-cleanup.patch \ > file://CVE-2020-10188.patch \ > + > file://0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch \ > " > > UPSTREAM_CHECK_URI = "${DEBIAN_MIRROR}/main/n/netkit-telnet/" > -- > 2.19.1 >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#85839): https://lists.openembedded.org/g/openembedded-devel/message/85839 Mute This Topic: https://lists.openembedded.org/mt/75693009/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
