[Bug 270263] telnet buffer overflow if server sends long TELQUAL_NAME for sra
Date: Mon, 14 Apr 2025 22:04:01 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=270263
John Baldwin <jhb@FreeBSD.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jhb@FreeBSD.org
--- Comment #1 from John Baldwin <jhb@FreeBSD.org> ---
Reproduced on CHERI Morello:
Core was generated by `telnet localhost'.
Program terminated with signal SIGPROT, CHERI protection violation.
Capability bounds fault.
#0 0x0000000041124c64 in memcpy (
dst0=0xfffffff7f8e0 [rwRW,0xfffffff7f7e0-0xfffffff7f8e0],
src0=<optimized out>, length=3)
at /usr/home/john/work/git/cheribsd/lib/libc/string/bcopy.c:142
142 TLOOP1(*--dst = *--src);
(gdb) where
#0 0x0000000041124c64 in memcpy (
dst0=0xfffffff7f8e0 [rwRW,0xfffffff7f7e0-0xfffffff7f8e0],
src0=<optimized out>, length=3)
at /usr/home/john/work/git/cheribsd/lib/libc/string/bcopy.c:142
#1 0x0000000040a763a4 in __sfvwrite (
fp=0xfffffff7f440 [rwRW,0xfffffff7f440-0xfffffff7f610],
uio=0xfffffff7e9a0 [rwRW,0xfffffff7e990-0xfffffff7eac0])
at /usr/home/john/work/git/cheribsd/lib/libc/stdio/fvwrite.c:124
#2 0x0000000040b80d1c in __sprint (
fp=0xfffffff7f8e0 [rwRW,0xfffffff7f7e0-0xfffffff7f8e0],
uio=0xfffffff7e9a0 [rwRW,0xfffffff7e990-0xfffffff7eac0],
locale=<optimized out>)
at /usr/home/john/work/git/cheribsd/lib/libc/stdio/vfprintf.c:177
#3 io_flush (iop=0xfffffff7e990, locale=<optimized out>)
at /usr/home/john/work/git/cheribsd/lib/libc/stdio/printfcommon.h:168
#4 __vfprintf (fp=0xfffffff7f440 [rwRW,0xfffffff7f440-0xfffffff7f610],
locale=0x40afd3e0 <__xlocale_global_locale> [rwRWE,0x40afd3e0-0x40afd540],
serrno=0, fmt0=0x112276 [rR,0x112276-0x112282] "User (%s): ",
ap=<optimized out>)
at /usr/home/john/work/git/cheribsd/lib/libc/stdio/vfprintf.c:1147
#5 0x0000000040b87c40 in vsprintf_l (
locale=0x40afd3e0 <__xlocale_global_locale> [rwRWE,0x40afd3e0-0x40afd540],
str=<optimized out>, fmt=<optimized out>, ap=<optimized out>)
at /usr/home/john/work/git/cheribsd/lib/libc/stdio/vsprintf.c:60
#6 vsprintf (
str=0xfffffff7f7e0 [rwRW,0xfffffff7f7e0-0xfffffff7f8e0] "User
(\00601111110111111", '0' <repeats 179 times>...,
fmt=0x112276 [rR,0x112276-0x112282] "User (%s): ",
ap=0xfffffff7f6d0 [rRW,0xfffffff7f6d0-0xfffffff7f6e0])
at /usr/home/john/work/git/cheribsd/lib/libc/stdio/vsprintf.c:67
#7 0x0000000040b7de2c in sprintf (
str=0xfffffff7f8e0 [rwRW,0xfffffff7f7e0-0xfffffff7f8e0]
"`\371\367\377\377\377", fmt=0x11227e [rR,0x112276-0x112282] "): ")
at /usr/home/john/work/git/cheribsd/lib/libc/stdio/sprintf.c:55
#8 0x000000000013cb94 in sra_reply (
ap=0x169720 <authenticators+224> [rwRW,0x169640-0x169800],
data=<optimized out>, cnt=<optimized out>)
at /usr/home/john/work/git/cheribsd/contrib/telnet/libtelnet/sra.c:269
#9 0x0000000000132e80 in telrcv ()
at /usr/home/john/work/git/cheribsd/contrib/telnet/telnet/telnet.c:1872
#10 0x00000000001348e0 in Scheduler (block=<optimized out>)
at /usr/home/john/work/git/cheribsd/contrib/telnet/telnet/telnet.c:2096
#11 0x0000000000134348 in telnet (user=<optimized out>)
at /usr/home/john/work/git/cheribsd/contrib/telnet/telnet/telnet.c:2161
#12 0x000000000012bc48 in tn (argc=<optimized out>, argv=<optimized out>)
at /usr/home/john/work/git/cheribsd/contrib/telnet/telnet/commands.c:2506
#13 0x000000000012f274 in main (argc=-530016, argv=<optimized out>)
at /usr/home/john/work/git/cheribsd/contrib/telnet/telnet/main.c:372
--
You are receiving this mail because:
You are the assignee for the bug.