diff options
| author | Jason M. Bills <jason.m.bills@linux.intel.com> | 2020-12-08 00:38:17 +0300 |
|---|---|---|
| committer | Jason M. Bills <jason.m.bills@linux.intel.com> | 2020-12-08 00:38:17 +0300 |
| commit | 8d6ae7f2a817751fad151168fa10ce28ee0869d8 (patch) | |
| tree | 281032f7ec07c41589aa094bd165cc2a98f2d3a7 /meta-openembedded/meta-networking/recipes-netkit/netkit-telnet/files/0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch | |
| parent | c16fb8893b19075db4bcf3b5bf33c1db8c3ca2bd (diff) | |
| parent | 5da3c2284560a7e08ffafd03c5b5ba44a3242228 (diff) | |
| download | openbmc-8d6ae7f2a817751fad151168fa10ce28ee0869d8.tar.xz | |
Merge tag '0.26' of ssh://git-amr-1.devtools.intel.com:29418/openbmc-openbmc into update
Diffstat (limited to 'meta-openembedded/meta-networking/recipes-netkit/netkit-telnet/files/0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch')
| -rw-r--r-- | meta-openembedded/meta-networking/recipes-netkit/netkit-telnet/files/0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/meta-openembedded/meta-networking/recipes-netkit/netkit-telnet/files/0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch b/meta-openembedded/meta-networking/recipes-netkit/netkit-telnet/files/0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch new file mode 100644 index 000000000..8f983e40a --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-netkit/netkit-telnet/files/0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch @@ -0,0 +1,56 @@ +From 9c81c8e5bc7782e8ae12c078615abc3c896059f2 Mon Sep 17 00:00:00 2001 +From: Julius Hemanth Pitti <jpitti@cisco.com> +Date: Tue, 14 Jul 2020 22:34:19 -0700 +Subject: [PATCH] telnetd/utility.c: Fix buffer overflow in netoprintf + +As per man page of vsnprintf, when formated +string size is greater than "size"(2nd argument), +then vsnprintf returns size of formated string, +not "size"(2nd argument). + +netoprintf() was not handling a case where +return value of vsnprintf is greater than +"size"(2nd argument), results in buffer overflow +while adjusting "nfrontp" pointer to point +beyond "netobuf" buffer. + +Here is one such case where "nfrontp" +crossed boundaries of "netobuf", and +pointing to another global variable. + +(gdb) p &netobuf[8255] +$5 = 0x55c93afe8b1f <netobuf+8255> "" +(gdb) p nfrontp +$6 = 0x55c93afe8c20 <terminaltype> "\377" +(gdb) p &terminaltype +$7 = (char **) 0x55c93afe8c20 <terminaltype> +(gdb) + +This resulted in crash of telnetd service +with segmentation fault. + +Though this is DoS security bug, I couldn't +find any CVE ID for this. + +Upstream-Status: Pending + +Signed-off-by: Julius Hemanth Pitti <jpitti@cisco.com> +--- + telnetd/utility.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/telnetd/utility.c b/telnetd/utility.c +index b9a46a6..4811f14 100644 +--- a/telnetd/utility.c ++++ b/telnetd/utility.c +@@ -66,7 +66,7 @@ netoprintf(const char *fmt, ...) + len = vsnprintf(nfrontp, maxsize, fmt, ap); + va_end(ap); + +- if (len<0 || len==maxsize) { ++ if (len<0 || len>=maxsize) { + /* didn't fit */ + netflush(); + } +-- +2.19.1 |