[Bug 266719] telnetd crashes if it receives IAC EC at session start

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 266719] telnetd crashes if it receives IAC EC at session start"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 266719] telnetd crashes if it receives IAC EC at session start"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 266719] telnetd crashes if it receives IAC EC at session start"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 30 Sep 2022 09:55:27 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=266719

            Bug ID: 266719
           Summary: telnetd crashes if it receives IAC EC at session start
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu
 Attachment #236964 text/plain
         mime type:

Created attachment 236964
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=236964&action=edit
crash telnetd with IAC EC

If telnetd receives IAC EC (erase), telrcv() dereferences an sptr:

                                        ch = *slctab[SLC_EC].sptr;

However, slctab[] is initialized only after telnetd asks the client
for the terminal type. That is, doit() calls getterminaltype() before
calling telnet(); and telnet() calls get_slc_defaults() which
initializes slctab[]. So if the client sends IAC EC too early in the
session, telnetd will crash.

I've attached a demo:

% cc telnetd2a.c
% ./a.out

gdb on telnetd says:

Program received signal SIGSEGV, Segmentation fault.
Address not mapped to object.
0x000000000102c1dc in telrcv () at /usr/src/contrib/telnet/telnetd/state.c:224
224                                     if (c == EC)
(gdb) where
#0  0x000000000102c1dc in telrcv ()
    at /usr/src/contrib/telnet/telnetd/state.c:224
#1  0x0000000001030974 in ttloop ()
    at /usr/src/contrib/telnet/telnetd/utility.c:84
#2  0x000000000102f131 in getterminaltype (name=<optimized out>)
    at /usr/src/contrib/telnet/telnetd/telnetd.c:481
#3  0x000000000102efd8 in doit (who=who@entry=0x7fffffffe790)
    at /usr/src/contrib/telnet/telnetd/telnetd.c:715
#4  0x000000000102ecb5 in main (argc=0, argv=<optimized out>)
    at /usr/src/contrib/telnet/telnetd/telnetd.c:408

FreeBSD stock14 14.0-CURRENT FreeBSD 14.0-CURRENT #3 main-n258027-c9baa974717a:
Thu Sep 15 20:02:51 AST 2022    
root@stock14:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64

-- 
You are receiving this mail because:
You are the assignee for the bug.