blob: e8c3f1d84bcb6efc2431e996f047016e7ed24bd7 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
From 4133a888aa256312186962ab70d4a36eed5920c1 Mon Sep 17 00:00:00 2001
From: Brooks Davis <brooks@FreeBSD.org>
Date: Mon, 26 Sep 2022 18:56:51 +0100
Subject: [PATCH] telnetd: fix two-byte input crash
Move initialization of the slc table earlier so it doesn't get
accessed before that happens.
For details on the issue, see:
https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html
Reviewed by: cy
Obtained from: NetBSD via cy
Differential Revision: https://reviews.freebsd.org/D36680
CVE: CVE-2022-39028
Upstream-Status: Backport [https://cgit.freebsd.org/src/commit/?id=6914ffef4e23]
(cherry picked from commit 6914ffef4e2318ca1d0ead28eafb6f06055ce0f8)
Signed-off-by: Sanjay Chitroda <sanjay.chitroda@einfochips.com>
---
telnetd/telnetd.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/telnetd/telnetd.c b/telnetd/telnetd.c
index f36f505..efa0fe1 100644
--- a/telnetd/telnetd.c
+++ b/telnetd/telnetd.c
@@ -615,6 +615,11 @@ doit(struct sockaddr_in *who)
int level;
char user_name[256];
+ /*
+ * Initialize the slc mapping table.
+ */
+ get_slc_defaults();
+
/*
* Find an available pty to use.
*/
@@ -698,11 +703,6 @@ void telnet(int f, int p)
char *HE;
const char *IM;
- /*
- * Initialize the slc mapping table.
- */
- get_slc_defaults();
-
/*
* Do some tests where it is desireable to wait for a response.
* Rather than doing them slowly, one at a time, do them all
|
