Dear, all:
I download gnu telnet code from
http://ftp.gnu.org/gnu/inetutils/inetutils-1.7.tar.gz. In the telnet code in
commands.c,
I found this function has a local buffer overflow bug, see:
Commands.c:
static char *rcname = 0;
static char rcbuf[128];
static void
cmdrc (char *m1, char *m2)
{
if (rcname == 0)
{
rcname = getenv ("HOME"); // when the getenv() get the HOME environment
value, It not test the length of the value, and then copy it to the rcbuf. If
the length is too long(>128), it will cause a buffer overflow.
if (rcname)
strcpy (rcbuf, rcname);
else
rcbuf[0] = '\0';
strcat (rcbuf, "/.telnetrc");
rcname = rcbuf;
}
You can test it with:
Export
HOME=”aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa”
./telnet localhost 22
My terminal has crashed.
And my patch is:
diff -Nur inetutils-1.7/telnet/commands.c inetutils-1.7-new/telnet/commands.c
--- inetutils-1.7/telnet/commands.c 2009-12-14 19:36:17.000000000 +0800
+++ inetutils-1.7-new/telnet/commands.c 2009-12-27 19:02:44.000000000 +0800
@@ -3029,6 +3029,8 @@
if (rcname == 0)
{
rcname = getenv ("HOME");
+ if (strlen(rcname) > 128)
+ return ;
if (rcname)
strcpy (rcbuf, rcname);
else
________________________________
This email (including any attachments) is confidential and may be legally
privileged. If you received this email in error, please delete it immediately
and do not copy it or use it for any purpose or disclose its contents to any
other person. Thank you.
本电邮(包括任何附件)可能含有机密资料并受法律保护。如您不是正确的收件人,请您立即删除本邮件。请不要将本电邮进行复制并用作任何其他用途、或透露本邮件之内容。谢谢。
