1From 9c81c8e5bc7782e8ae12c078615abc3c896059f2 Mon Sep 17 00:00:00 2001 2From: Julius Hemanth Pitti <jpitti@cisco.com> 3Date: Tue, 14 Jul 2020 22:34:19 -0700 4Subject: [PATCH] telnetd/utility.c: Fix buffer overflow in netoprintf 5 6As per man page of vsnprintf, when formated 7string size is greater than "size"(2nd argument), 8then vsnprintf returns size of formated string, 9not "size"(2nd argument). 10 11netoprintf() was not handling a case where 12return value of vsnprintf is greater than 13"size"(2nd argument), results in buffer overflow 14while adjusting "nfrontp" pointer to point 15beyond "netobuf" buffer. 16 17Here is one such case where "nfrontp" 18crossed boundaries of "netobuf", and 19pointing to another global variable. 20 21(gdb) p &netobuf[8255] 22$5 = 0x55c93afe8b1f <netobuf+8255> "" 23(gdb) p nfrontp 24$6 = 0x55c93afe8c20 <terminaltype> "\377" 25(gdb) p &terminaltype 26$7 = (char **) 0x55c93afe8c20 <terminaltype> 27(gdb) 28 29This resulted in crash of telnetd service 30with segmentation fault. 31 32Though this is DoS security bug, I couldn't 33find any CVE ID for this. 34 35Upstream-Status: Pending 36 37Signed-off-by: Julius Hemanth Pitti <jpitti@cisco.com> 38--- 39 telnetd/utility.c | 2 +- 40 1 file changed, 1 insertion(+), 1 deletion(-) 41 42diff --git a/telnetd/utility.c b/telnetd/utility.c 43index b9a46a6..4811f14 100644 44--- a/telnetd/utility.c 45+++ b/telnetd/utility.c 46@@ -66,7 +66,7 @@ netoprintf(const char *fmt, ...) 47 len = vsnprintf(nfrontp, maxsize, fmt, ap); 48 va_end(ap); 49 50- if (len<0 || len==maxsize) { 51+ if (len<0 || len>=maxsize) { 52 /* didn't fit */ 53 netflush(); 54 } 55-- 562.19.1 57