[Bug 266719] telnetd crashes if it receives IAC EC at session start
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 266719] telnetd crashes if it receives IAC EC at session start"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 266719] telnetd crashes if it receives IAC EC at session start"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 266719] telnetd crashes if it receives IAC EC at session start"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 30 Sep 2022 09:55:27 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=266719 Bug ID: 266719 Summary: telnetd crashes if it receives IAC EC at session start Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Attachment #236964 text/plain mime type: Created attachment 236964 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=236964&action=edit crash telnetd with IAC EC If telnetd receives IAC EC (erase), telrcv() dereferences an sptr: ch = *slctab[SLC_EC].sptr; However, slctab[] is initialized only after telnetd asks the client for the terminal type. That is, doit() calls getterminaltype() before calling telnet(); and telnet() calls get_slc_defaults() which initializes slctab[]. So if the client sends IAC EC too early in the session, telnetd will crash. I've attached a demo: % cc telnetd2a.c % ./a.out gdb on telnetd says: Program received signal SIGSEGV, Segmentation fault. Address not mapped to object. 0x000000000102c1dc in telrcv () at /usr/src/contrib/telnet/telnetd/state.c:224 224 if (c == EC) (gdb) where #0 0x000000000102c1dc in telrcv () at /usr/src/contrib/telnet/telnetd/state.c:224 #1 0x0000000001030974 in ttloop () at /usr/src/contrib/telnet/telnetd/utility.c:84 #2 0x000000000102f131 in getterminaltype (name=<optimized out>) at /usr/src/contrib/telnet/telnetd/telnetd.c:481 #3 0x000000000102efd8 in doit (who=who@entry=0x7fffffffe790) at /usr/src/contrib/telnet/telnetd/telnetd.c:715 #4 0x000000000102ecb5 in main (argc=0, argv=<optimized out>) at /usr/src/contrib/telnet/telnetd/telnetd.c:408 FreeBSD stock14 14.0-CURRENT FreeBSD 14.0-CURRENT #3 main-n258027-c9baa974717a: Thu Sep 15 20:02:51 AST 2022 root@stock14:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64 -- You are receiving this mail because: You are the assignee for the bug.