From nobody Tue Apr 29 20:33:08 2025
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZnBpX6S7pz5vWh6;
	Tue, 29 Apr 2025 20:33:08 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4ZnBpX3pqsz45Gw;
	Tue, 29 Apr 2025 20:33:08 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1745958788;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=lpLN365jlUQjE0sf2hUN4OsgO3RTxAbLYZpRng3q/D8=;
	b=QmZe1CUWYefAx3XGVJEpdkVXER8lghOqmBnLDNOcBs/IVCeV+ifa2CnO6nllSkI6xs6Ce0
	iezAZ1o6ugWlQJyvoLjSE+T8VzzaStMTkkUftxC+AELMpBoOzWEfYDFmVkPGgguDf9vxvA
	h54BcQw1GxG8aX9F8vZV7qsupB+46up8CVPJ9l5fVwZ2Qu7B8+VDvolwhMjNB7ZyY7BuUq
	BpDJxeILPMoWkiXtpUqbqHCKKA/PAMpRdcWZ9i1EonD2FquMDHox+l9TscrsnlUPjFE5SK
	IUUrtnyL5N6GOlmJ7O7I2lkgUAZzz3XhX62QH4Ke5YnXYRLzzaHcbL3PnEA/Yg==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1745958788; a=rsa-sha256; cv=none;
	b=ihnIpo/C7sF8RW3TwsoCWhfHwSeRMQmooZ1viWbdwOTXoQfrdNN0pmbX+JfyHDBW/FjI5U
	Vm22rz09dpIZ94lDFLXU0eOBOrrvQKK84DiPIhFD6JgJFwa6OiENCsOaM5JuCB6dV902Ud
	X8FVX/W7Xr0STjgOfjOdc/gPpIaAqNBzjNF/RL1wAKnlZYx0bqRmBhUYgFlkKBFM4oQYbn
	SwlscCPbp2cqrs4VKHCSjko26rfVZdoK4ZWqtNAIPU7vXSgewHNN5rTLe9frON66hOqfgH
	VqBDZU3bdfrM/CpGPbUxruOKf+NfFjDZf1bv2Q75oOoS831KFBjCDAoO6QW9qw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1745958788;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=lpLN365jlUQjE0sf2hUN4OsgO3RTxAbLYZpRng3q/D8=;
	b=hBzJyWHvygc2uXHvrGzBXEoGbXaw1gn/9VffuJxAGT0VsgZRQzEyw6LkgDMVpU892+CrT9
	BS2yrWB7108DjEMo7CbEUl20w1UX8S12ESdBUuCncfIruTsCtWXoQR+iFQ6pF+ILbmZ0hN
	u0YHKjFS/vMuH9X8f+a7dKoTjXJjtOgOYcpUlQBUrLub6b7d21YHRy+B9OiutH6Shic2s3
	n8bqxrlPRiOpIj0EJDHHxIRC9+omPYBO5EYAcQ2+sKOr+HSnl3Kv/zsygiJcSxlk+oZLce
	K6FFU1VpNi/cHZG61+b1Opyp6CInaWNsgOm5+HyUg5dIuf+LGV4oRe11bwgpqg==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4ZnBpX3FyGzc5q;
	Tue, 29 Apr 2025 20:33:08 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 53TKX8Ci056159;
	Tue, 29 Apr 2025 20:33:08 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 53TKX8qI056156;
	Tue, 29 Apr 2025 20:33:08 GMT
	(envelope-from git)
Date: Tue, 29 Apr 2025 20:33:08 GMT
Message-Id: <202504292033.53TKX8qI056156@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: John Baldwin <jhb@FreeBSD.org>
Subject: git: eef4e44a41e4 - stable/13 - telnet: Prevent buffer
  overflow in the user prompt for SRA
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: jhb
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: eef4e44a41e467416322d0ee8907262e4bb07d49
Auto-Submitted: auto-generated

The branch stable/13 has been updated by jhb:

URL: https://cgit.FreeBSD.org/src/commit/?id=eef4e44a41e467416322d0ee8907262e4bb07d49

commit eef4e44a41e467416322d0ee8907262e4bb07d49
Author:     John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2025-04-16 13:41:03 +0000
Commit:     John Baldwin <jhb@FreeBSD.org>
CommitDate: 2025-04-29 14:45:59 +0000

    telnet: Prevent buffer overflow in the user prompt for SRA
    
    The Secure RPC authenticator for telnet prompts the local user for the
    username to use for authentication.  Previously it was using sprintf()
    into a buffer of 256 bytes, but the username received over the wire
    can be up to 255 bytes long which would overflow the prompt buffer.
    Fix this in two ways: First, use snprintf() and check for overflow.
    If the prompt buffer overflows, fail authentication without prompting
    the user.  Second, add 10 bytes to the buffer size to account for the
    overhead of the prompt so that a maximally sized username fits.
    
    While here, replace a bare 255 in the subsequent telnet_gets call with
    an expression using sizeof() the relevant buffer.
    
    PR:             270263
    Reported by:    Robert Morris <rtm@lcs.mit.edu>
    Tested on:      CHERI
    Reviewed by:    emaste
    Differential Revision:  https://reviews.freebsd.org/D49832
    
    (cherry picked from commit 5737c2ae06e143e49496df2ab5a64f76d5456012)
---
 contrib/telnet/libtelnet/sra.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/contrib/telnet/libtelnet/sra.c b/contrib/telnet/libtelnet/sra.c
index 4a759685ca42..92ce5f6877d6 100644
--- a/contrib/telnet/libtelnet/sra.c
+++ b/contrib/telnet/libtelnet/sra.c
@@ -245,9 +245,10 @@ bad:
 void
 sra_reply(Authenticator *ap, unsigned char *data, int cnt)
 {
-	char uprompt[256],tuser[256];
+	char uprompt[256 + 10];	/* +10 for "User (): " */
+	char tuser[256];
 	Session_Key skey;
-	size_t i;
+	size_t i, len;
 
 	if (cnt-- < 1)
 		return;
@@ -270,8 +271,15 @@ sra_reply(Authenticator *ap, unsigned char *data, int cnt)
 
 		/* encode user */
 		memset(tuser,0,sizeof(tuser));
-		sprintf(uprompt,"User (%s): ",UserNameRequested);
-		telnet_gets(uprompt,tuser,255,1);
+		len = snprintf(uprompt, sizeof(uprompt), "User (%s): ",
+		    UserNameRequested);
+		if (len >= sizeof(uprompt)) {
+			if (auth_debug_mode) {
+				printf("SRA user name too long\r\n");
+			}
+			return;
+		}
+		telnet_gets(uprompt, tuser, sizeof(tuser) - 1, 1);
 		if (tuser[0] == '\n' || tuser[0] == '\r' )
 			strcpy(user,UserNameRequested);
 		else {