[Bug 266719] telnetd crashes if it receives IAC EC at session start
Date: Fri, 30 Sep 2022 09:55:27 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=266719
Bug ID: 266719
Summary: telnetd crashes if it receives IAC EC at session start
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: bin
Assignee: bugs@FreeBSD.org
Reporter: rtm@lcs.mit.edu
Attachment #236964 text/plain
mime type:
Created attachment 236964
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=236964&action=edit
crash telnetd with IAC EC
If telnetd receives IAC EC (erase), telrcv() dereferences an sptr:
ch = *slctab[SLC_EC].sptr;
However, slctab[] is initialized only after telnetd asks the client
for the terminal type. That is, doit() calls getterminaltype() before
calling telnet(); and telnet() calls get_slc_defaults() which
initializes slctab[]. So if the client sends IAC EC too early in the
session, telnetd will crash.
I've attached a demo:
% cc telnetd2a.c
% ./a.out
gdb on telnetd says:
Program received signal SIGSEGV, Segmentation fault.
Address not mapped to object.
0x000000000102c1dc in telrcv () at /usr/src/contrib/telnet/telnetd/state.c:224
224 if (c == EC)
(gdb) where
#0 0x000000000102c1dc in telrcv ()
at /usr/src/contrib/telnet/telnetd/state.c:224
#1 0x0000000001030974 in ttloop ()
at /usr/src/contrib/telnet/telnetd/utility.c:84
#2 0x000000000102f131 in getterminaltype (name=<optimized out>)
at /usr/src/contrib/telnet/telnetd/telnetd.c:481
#3 0x000000000102efd8 in doit (who=who@entry=0x7fffffffe790)
at /usr/src/contrib/telnet/telnetd/telnetd.c:715
#4 0x000000000102ecb5 in main (argc=0, argv=<optimized out>)
at /usr/src/contrib/telnet/telnetd/telnetd.c:408
FreeBSD stock14 14.0-CURRENT FreeBSD 14.0-CURRENT #3 main-n258027-c9baa974717a:
Thu Sep 15 20:02:51 AST 2022
root@stock14:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64
--
You are receiving this mail because:
You are the assignee for the bug.