1From 6ab007dbb1958371abff2eaaad2b26da89b3c74e Mon Sep 17 00:00:00 2001 2From: Yi Zhao <yi.zhao@windriver.com> 3Date: Fri, 24 Apr 2020 09:43:44 +0800 4Subject: [PATCH] telnetd/utility.c: fix CVE-2020-10188 5 6Upstream-Status: Backport 7[Fedora: https://src.fedoraproject.org/rpms/telnet/raw/master/f/telnet-0.17-overflow-exploit.patch] 8 9CVE: CVE-2020-10188 10 11Signed-off-by: Yi Zhao <yi.zhao@windriver.com> 12--- 13 telnetd/utility.c | 32 +++++++++++++++++++++----------- 14 1 file changed, 21 insertions(+), 11 deletions(-) 15 16diff --git a/telnetd/utility.c b/telnetd/utility.c 17index 75314cb..b9a46a6 100644 18--- a/telnetd/utility.c 19+++ b/telnetd/utility.c 20@@ -169,31 +169,38 @@ void ptyflush(void) 21 */ 22 static 23 char * 24-nextitem(char *current) 25+nextitem(char *current, const char *endp) 26 { 27+ if (current >= endp) { 28+ return NULL; 29+ } 30 if ((*current&0xff) != IAC) { 31 return current+1; 32 } 33+ if (current+1 >= endp) { 34+ return NULL; 35+ } 36 switch (*(current+1)&0xff) { 37 case DO: 38 case DONT: 39 case WILL: 40 case WONT: 41- return current+3; 42+ return current+3 <= endp ? current+3 : NULL; 43 case SB: /* loop forever looking for the SE */ 44 { 45 register char *look = current+2; 46 47- for (;;) { 48+ while (look < endp) { 49 if ((*look++&0xff) == IAC) { 50- if ((*look++&0xff) == SE) { 51+ if (look < endp && (*look++&0xff) == SE) { 52 return look; 53 } 54 } 55 } 56+ return NULL; 57 } 58 default: 59- return current+2; 60+ return current+2 <= endp ? current+2 : NULL; 61 } 62 } /* end of nextitem */ 63 64@@ -219,7 +226,7 @@ void netclear(void) 65 register char *thisitem, *next; 66 char *good; 67 #define wewant(p) ((nfrontp > p) && ((*p&0xff) == IAC) && \ 68- ((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL)) 69+ (nfrontp > p+1 && (((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL)))) 70 71 #if defined(ENCRYPT) 72 thisitem = nclearto > netobuf ? nclearto : netobuf; 73@@ -227,7 +234,7 @@ void netclear(void) 74 thisitem = netobuf; 75 #endif 76 77- while ((next = nextitem(thisitem)) <= nbackp) { 78+ while ((next = nextitem(thisitem, nbackp)) != NULL && next <= nbackp) { 79 thisitem = next; 80 } 81 82@@ -239,20 +246,23 @@ void netclear(void) 83 good = netobuf; /* where the good bytes go */ 84 #endif 85 86- while (nfrontp > thisitem) { 87+ while (thisitem != NULL && nfrontp > thisitem) { 88 if (wewant(thisitem)) { 89 int length; 90 91 next = thisitem; 92 do { 93- next = nextitem(next); 94- } while (wewant(next) && (nfrontp > next)); 95+ next = nextitem(next, nfrontp); 96+ } while (next != NULL && wewant(next) && (nfrontp > next)); 97+ if (next == NULL) { 98+ next = nfrontp; 99+ } 100 length = next-thisitem; 101 bcopy(thisitem, good, length); 102 good += length; 103 thisitem = next; 104 } else { 105- thisitem = nextitem(thisitem); 106+ thisitem = nextitem(thisitem, nfrontp); 107 } 108 } 109 110-- 1112.7.4 112 113