Hi,
I found a problem in terminaltypeok() function, which calls tgetent()
with 1kB buffer. This is fine, if telnetd is linked against ncurses,
but if it is linked against GNU termcap, there is a buffer overflow
for xterm (and maybe other) terminal type, which requires 2030 bytes
and telnetd crashes. Documentation of GNU termcap proposes making this
buffer 2kB (see
http://www.gnu.org/software/termutils/manual/termcap-1.3/html_mono/termcap.html#SEC4).
I hope this is my last telnet issue :-)
Petr
--- telnetd/utility.c 2012-08-23 20:20:41.000000000 +0200
+++ telnetd/utility.c 2012-08-23 20:22:19.540859145 +0200
@@ -843,7 +843,7 @@ getterminaltype (char *user_name)
int
terminaltypeok (char *s)
{
- char buf[1024];
+ char buf[2048];
if (terminaltype == NULL)
return 1;
