1From d52349fa1b6baac77ffa2c74769636aa2ece2ec5 Mon Sep 17 00:00:00 2001 2From: Erik Auerswald <auerswal@unix-ag.uni-kl.de> 3Date: Sat, 3 Sep 2022 16:58:16 +0200 4Subject: [PATCH] telnetd: Handle early IAC EC or IAC EL receipt 5 6Fix telnetd crash if the first two bytes of a new connection 7are 0xff 0xf7 (IAC EC) or 0xff 0xf8 (IAC EL). 8 9The problem was reported in: 10<https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html>. 11 12* NEWS: Mention fix. 13* telnetd/state.c (telrcv): Handle zero slctab[SLC_EC].sptr and 14zero slctab[SLC_EL].sptr. 15 16CVE: CVE-2022-39028 17Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=fae8263e467380483c28513c0e5fac143e46f94f] 18Signed-off-by: Teoh Jay Shen <jay.shen.teoh@intel.com> 19--- 20 telnetd/state.c | 12 +++++++++--- 21 1 file changed, 9 insertions(+), 3 deletions(-) 22 23diff --git a/telnetd/state.c b/telnetd/state.c 24index ffc6cba..c2d760f 100644 25--- a/telnetd/state.c 26+++ b/telnetd/state.c 27@@ -312,15 +312,21 @@ telrcv (void) 28 case EC: 29 case EL: 30 { 31- cc_t ch; 32+ cc_t ch = (cc_t) (_POSIX_VDISABLE); 33 34 DEBUG (debug_options, 1, printoption ("td: recv IAC", c)); 35 ptyflush (); /* half-hearted */ 36 init_termbuf (); 37 if (c == EC) 38- ch = *slctab[SLC_EC].sptr; 39+ { 40+ if (slctab[SLC_EC].sptr) 41+ ch = *slctab[SLC_EC].sptr; 42+ } 43 else 44- ch = *slctab[SLC_EL].sptr; 45+ { 46+ if (slctab[SLC_EL].sptr) 47+ ch = *slctab[SLC_EL].sptr; 48+ } 49 if (ch != (cc_t) (_POSIX_VDISABLE)) 50 pty_output_byte ((unsigned char) ch); 51 break; 52-- 532.37.3 54 55