From nobody Wed Apr 16 13:41:52 2025
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Zd2J03gMkz5shX7;
	Wed, 16 Apr 2025 13:41:52 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Zd2J034LJz3cSl;
	Wed, 16 Apr 2025 13:41:52 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1744810912;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=psN5vFxX9lV2VZpRZAOs4HIq8th43ipr0+VwuVSHtQc=;
	b=RbSY40GBUv96tSWRDfHCLuw/BhLd+nJe7HRfonYAgkibdqiGGyZ0QVJC/bNhVPtUBhr05d
	odpMmDjC1sYKHNRxahdf4zSpdi4zanb4rrCkrwP0jRWSY/tYD0NzSXBd5pRpfOuSjxhXr3
	0fZ8nKan2qF9wfNz9Ttcw7QrKqMVuQFIuLyJf/Vi24A3NcMdEny6ytnNUcXsrUhacjtaYz
	A8CZyMRc+mRgCgefi+0mYH9/zMROFsZXm/sbhzKDj89KP56z+goyI3i+jPqogaNiZHQBwk
	9RfHjqWEn6qc9DBogg7Eu30DztSVBWrEuY1MCHX3BB1+6qiWXmXvttj2tPlPrg==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1744810912; a=rsa-sha256; cv=none;
	b=CVsHFG/zO0/qpfLdrezgeHxolobvhAXBP3epi7bHtcsbz/1S+Lc5b4T/z/RDr3vtrsCvyA
	D9w96MBjh1UqhmhI8Z6abrHJTc2iPKUnAeML8QOVCVWXEszy6P0Yj3EzSog79pIS+cWtSm
	hcJr3FFTRDa1vNEKms+jfWHe/py3LwB7qmeS+0tbsYjYIdfvqsKFnngpgycDaEw6KYOtl1
	93vZ6uPPIxfBY4o4RB+Fzrhis8klEg2lc/5YpaMR5HHG6N26iCX6Zn/NjwWM20uJ3BiBme
	1NwTI9txvRqqTcMJewG+7WYiOuqYtxI2mf2A1wHn8OGad0g13ozJ6QwmG7PPnA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1744810912;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=psN5vFxX9lV2VZpRZAOs4HIq8th43ipr0+VwuVSHtQc=;
	b=TM4kn+8EXard1V2/oXCsZ/GOxdACWYntH2TrFW2DOGnUF9sAYXVOFcGZFn3/cetQnE2QRk
	5FrS5w/33Jdk4A0welQ12ZLxtAZw0WDiu3yOQ3i9p/UyAymTaBbGjy1OrwZ+hj5KGMm8gS
	i3qqR8gK4welgA210VSy+4/CFwWvqC+EzCEcAOFjyCWDlthWrUCoYl1E7cOfr08NB2DUmM
	ygYLya7kD83qZTmqicRfsYiizU4c9f6SpFwcfN7xpOB4oGalffglSWmA0B0xcoZNk7XGLW
	oTfHUw+kQcR8yOhFKnOBxE6YOzNYE9AYjMOrMdIHEVSpU7wUC04hE1vPvxnigA==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Zd2J02ZGXz1Kn1;
	Wed, 16 Apr 2025 13:41:52 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 53GDfqTY084940;
	Wed, 16 Apr 2025 13:41:52 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 53GDfqfA084937;
	Wed, 16 Apr 2025 13:41:52 GMT
	(envelope-from git)
Date: Wed, 16 Apr 2025 13:41:52 GMT
Message-Id: <202504161341.53GDfqfA084937@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: John Baldwin <jhb@FreeBSD.org>
Subject: git: 5737c2ae06e1 - main - telnet: Prevent buffer overflow
  in the user prompt for SRA
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: jhb
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 5737c2ae06e143e49496df2ab5a64f76d5456012
Auto-Submitted: auto-generated

The branch main has been updated by jhb:

URL: https://cgit.FreeBSD.org/src/commit/?id=5737c2ae06e143e49496df2ab5a64f76d5456012

commit 5737c2ae06e143e49496df2ab5a64f76d5456012
Author:     John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2025-04-16 13:41:03 +0000
Commit:     John Baldwin <jhb@FreeBSD.org>
CommitDate: 2025-04-16 13:41:03 +0000

    telnet: Prevent buffer overflow in the user prompt for SRA
    
    The Secure RPC authenticator for telnet prompts the local user for the
    username to use for authentication.  Previously it was using sprintf()
    into a buffer of 256 bytes, but the username received over the wire
    can be up to 255 bytes long which would overflow the prompt buffer.
    Fix this in two ways: First, use snprintf() and check for overflow.
    If the prompt buffer overflows, fail authentication without prompting
    the user.  Second, add 10 bytes to the buffer size to account for the
    overhead of the prompt so that a maximally sized username fits.
    
    While here, replace a bare 255 in the subsequent telnet_gets call with
    an expression using sizeof() the relevant buffer.
    
    PR:             270263
    Reported by:    Robert Morris <rtm@lcs.mit.edu>
    Tested on:      CHERI
    Reviewed by:    emaste
    Differential Revision:  https://reviews.freebsd.org/D49832
---
 contrib/telnet/libtelnet/sra.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/contrib/telnet/libtelnet/sra.c b/contrib/telnet/libtelnet/sra.c
index abacda12b495..3531c703a3d0 100644
--- a/contrib/telnet/libtelnet/sra.c
+++ b/contrib/telnet/libtelnet/sra.c
@@ -241,9 +241,10 @@ bad:
 void
 sra_reply(Authenticator *ap, unsigned char *data, int cnt)
 {
-	char uprompt[256],tuser[256];
+	char uprompt[256 + 10];	/* +10 for "User (): " */
+	char tuser[256];
 	Session_Key skey;
-	size_t i;
+	size_t i, len;
 
 	if (cnt-- < 1)
 		return;
@@ -266,8 +267,15 @@ sra_reply(Authenticator *ap, unsigned char *data, int cnt)
 
 		/* encode user */
 		memset(tuser,0,sizeof(tuser));
-		sprintf(uprompt,"User (%s): ",UserNameRequested);
-		telnet_gets(uprompt,tuser,255,1);
+		len = snprintf(uprompt, sizeof(uprompt), "User (%s): ",
+		    UserNameRequested);
+		if (len >= sizeof(uprompt)) {
+			if (auth_debug_mode) {
+				printf("SRA user name too long\r\n");
+			}
+			return;
+		}
+		telnet_gets(uprompt, tuser, sizeof(tuser) - 1, 1);
 		if (tuser[0] == '\n' || tuser[0] == '\r' )
 			strcpy(user,UserNameRequested);
 		else {