From nobody Tue Sep 27 17:36:40 2022 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4McRd44SFCz4YHX5; Tue, 27 Sep 2022 17:36:40 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4McRd43t3Hz3xS6; Tue, 27 Sep 2022 17:36:40 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1664300200; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=udKNFRWYaYfDETTNpcFgD587tV1KeoddmaM7WFayTjE=; b=HY3cwTaDMN3q8pGl0he6ZaFvuHyAE4eEUGqofktAyk7r6BVDVajpYqmXrHg7l6/J+/q8VE BWhU3vPVW0Vk2ziY7MtogOVBoIrDRiMPaVmAxMLQN+JF/WlBUblwooBwhJzZHe7zjCm2Ej UcOVF+OwYkBW0seEMz1IQAV+7N8JZ6r562jetwMzBoiNlsiwgQE1dJvYRgwk4ljof0z7vO VASKJOqqyGPe6RHk2YlFlF6CL/Iq2KtHraw3G78P6QeGLYWzOHqM6wGq+nWKf2YaEaLc/N 2OpWG4BuD6ikzOJATME90r21CODapewLrhiPuFV3Bc72wboxUJCLM0xAFIukgA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4McRd42tJmz1Bjd; Tue, 27 Sep 2022 17:36:40 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 28RHae4I088569; Tue, 27 Sep 2022 17:36:40 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 28RHaehr088568; Tue, 27 Sep 2022 17:36:40 GMT (envelope-from git) Date: Tue, 27 Sep 2022 17:36:40 GMT Message-Id: <202209271736.28RHaehr088568@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Cy Schubert Subject: git: 5760cb266e0a - main - Fix CVE-2020-10188 List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: cy X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 5760cb266e0ab04c221c2acdb4b6c4c141130ecd Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1664300200; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=udKNFRWYaYfDETTNpcFgD587tV1KeoddmaM7WFayTjE=; b=xGwIS62deNuRpmdssvIHTRX4LeuNrGUYJsb+i8vAuSe6woT4mBH4COuj9Uljukn7lyuN3O DHZ8bCQqxXUOldjIC2/+aFxKBFE0BW25qtKsJybU2KEO6Nr8H2wfSh8OBqTtINYlFnL6qR bGllrvWZHAn4KAoTv6jjAJL9qoKA8eybl04AVZM5nMI6fv7Db2IKtxiW4mp1go9UMDF7fy VykFRKS+kX2Rplz8h/cNLghVit5rLt/U37T6hxS5QfPArkrW/RS13SrLcBooyhsDRdyWVD ocH6jkSmmBud+SOCv5QzneOzYvhU/4/dUthmE2FyZ/Q92fOEg9J/fC4Z9x+3RQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1664300200; a=rsa-sha256; cv=none; b=kjZExkkQwbj1MSYMUMBpHqcDjH2cK3H1epd1z9brfw9hUGX8KOq8V9MAXWYBCW8UnRAjJ6 /+h+4h0DdoJ+/CvdEyhwMU2owzD5RsesBZBycsWkaTGn26pVVprSJxJ6ZbSIDw1K8V2fh8 nghf/CDnC9wcUv8umtiI1g1mM5iEZe5zWrMl7r+MJ8eUEoaLWw3zjpGRVN7D7T/f5+MXRq NVJkIkfFSMUJIhh8bbHTLsHs9hwQVUz3NXGvlYx+6dhao53Js75O02YbUte4ZmNiH4iRsa VBe8lP4xIt3RIzHuz28TmoTHXUxsslWP9Ax/YMB5J8PHr1Exq3rS0IOjeNwUyQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=5760cb266e0ab04c221c2acdb4b6c4c141130ecd commit 5760cb266e0ab04c221c2acdb4b6c4c141130ecd Author: Cy Schubert AuthorDate: 2022-09-21 21:38:08 +0000 Commit: Cy Schubert CommitDate: 2022-09-27 17:36:13 +0000 Fix CVE-2020-10188 Reviewed by: emaste Obtained from: NetBSD 6cc1539c8028b MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D36732 --- contrib/telnet/telnetd/utility.c | 32 +++++++++++++++++++++----------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/contrib/telnet/telnetd/utility.c b/contrib/telnet/telnetd/utility.c index 1ad51c55b177..2e1f61fd5bd9 100644 --- a/contrib/telnet/telnetd/utility.c +++ b/contrib/telnet/telnetd/utility.c @@ -147,31 +147,38 @@ ptyflush(void) * character. */ static char * -nextitem(char *current) +nextitem(char *current, const char *endp) { + if (current >= endp) { + return NULL; + } if ((*current&0xff) != IAC) { return current+1; } + if (current+1 >= endp) { + return NULL; + } switch (*(current+1)&0xff) { case DO: case DONT: case WILL: case WONT: - return current+3; + return current+3 <= endp ? current+3 : NULL; case SB: /* loop forever looking for the SE */ { char *look = current+2; - for (;;) { + while (look < endp) { if ((*look++&0xff) == IAC) { - if ((*look++&0xff) == SE) { + if (look < endp && (*look++&0xff) == SE) { return look; } } } + return NULL; } default: - return current+2; + return current+2 <= endp ? current+2 : NULL; } } /* end of nextitem */ @@ -197,7 +204,7 @@ netclear(void) char *thisitem, *next; char *good; #define wewant(p) ((nfrontp > p) && ((*p&0xff) == IAC) && \ - ((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL)) + (nfrontp > p+1) && ((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL)) #ifdef ENCRYPTION thisitem = nclearto > netobuf ? nclearto : netobuf; @@ -205,7 +212,7 @@ netclear(void) thisitem = netobuf; #endif /* ENCRYPTION */ - while ((next = nextitem(thisitem)) <= nbackp) { + while ((next = nextitem(thisitem, nbackp)) != NULL && (next <= nbackp)) { thisitem = next; } @@ -217,20 +224,23 @@ netclear(void) good = netobuf; /* where the good bytes go */ #endif /* ENCRYPTION */ - while (nfrontp > thisitem) { + while ((thisitem != NULL) && (nfrontp > thisitem)) { if (wewant(thisitem)) { int length; next = thisitem; do { - next = nextitem(next); - } while (wewant(next) && (nfrontp > next)); + next = nextitem(next, nfrontp); + } while ((next != NULL) && wewant(next) && (nfrontp > next)); + if (next == NULL) { + next = nfrontp; + } length = next-thisitem; memmove(good, thisitem, length); good += length; thisitem = next; } else { - thisitem = nextitem(thisitem); + thisitem = nextitem(thisitem, nfrontp); } }