72fa318c85
- Fix CVE-2022-39028, NULL pointer dereference in telnetd (CVE-2022-39028, bsc#1203759) CVE-2022-39028.patch OBS-URL: https://build.opensuse.org/request/show/1030430 OBS-URL: https://build.opensuse.org/package/show/network:utilities/telnet?expand=0&rev=30
46 lines
1.3 KiB
Diff
46 lines
1.3 KiB
Diff
Description: Fix remote DoS vulnerability in inetutils-telnetd
|
|
This is caused by a crash by a NULL pointer dereference when sending the
|
|
byte sequences «0xff 0xf7» or «0xff 0xf8».
|
|
Authors:
|
|
Pierre Kim (original patch),
|
|
Alexandre Torres (original patch),
|
|
Erik Auerswald <auerswal@unix-ag.uni-kl.de> (adapted patch),
|
|
Reviewed-by: Erik Auerswald <auerswal@unix-ag.uni-kl.de>
|
|
Origin: upstream
|
|
Ref: https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html
|
|
Forwarded: https://lists.gnu.org/archive/html/bug-inetutils/2022-08/msg00002.html
|
|
Last-Update: 2022-08-28
|
|
|
|
|
|
diff --git a/telnetd/state.c b/telnetd/state.c
|
|
index ffc6cbaf..c2d760f8 100644
|
|
--- a/telnetd/state.c
|
|
+++ b/telnetd/state.c
|
|
@@ -185,16 +185,22 @@ telrcv (void)
|
|
case EC:
|
|
case EL:
|
|
{
|
|
- cc_t ch;
|
|
+ cc_t ch = (cc_t) (_POSIX_VDISABLE);
|
|
|
|
DIAG(TD_OPTIONS,
|
|
printoption("td: recv IAC", c));
|
|
ptyflush(); /* half-hearted */
|
|
init_termbuf();
|
|
if (c == EC)
|
|
- ch = *slctab[SLC_EC].sptr;
|
|
+ {
|
|
+ if (slctab[SLC_EC].sptr)
|
|
+ ch = *slctab[SLC_EC].sptr;
|
|
+ }
|
|
else
|
|
- ch = *slctab[SLC_EL].sptr;
|
|
+ {
|
|
+ if (slctab[SLC_EL].sptr)
|
|
+ ch = *slctab[SLC_EL].sptr;
|
|
+ }
|
|
if (ch != (cc_t)(_POSIX_VDISABLE))
|
|
*pfrontp++ = (unsigned char)ch;
|
|
break;
|
|
|