mirror of
https://github.com/openRuyi-Project/openRuyi.git
synced 2026-04-28 11:03:42 +00:00
36 lines
1.2 KiB
Diff
36 lines
1.2 KiB
Diff
From 6864598a29b652a6b69a958f5cd1318aa2b258af Mon Sep 17 00:00:00 2001
|
|
From: Collin Funk <collin.funk1@gmail.com>
|
|
Date: Wed, 11 Mar 2026 23:06:46 -0700
|
|
Subject: [PATCH] telnetd: fix stack buffer overflow processing SLC suboption
|
|
triplets
|
|
|
|
Previously a client could write past the end of an internal buffer using
|
|
an SLC suboption with many triplets using function octets greater than
|
|
18, possibly leading to remote code execution. Reported by Adiel Sol,
|
|
Arad Inbar, Erez Cohen, Nir Somech, Ben Grinberg, Daniel Lubel at DREAM
|
|
Security Research Team at:
|
|
<https://lists.gnu.org/r/bug-inetutils/2026-03/msg00031.html>.
|
|
|
|
* telnetd/slc.c (add_slc): Return early if writing the tuple would lead
|
|
us to writing past the end of the buffer.
|
|
* NEWS.md: Mention the fix.
|
|
---
|
|
NEWS.md | 6 ++++++
|
|
telnetd/slc.c | 3 +++
|
|
2 files changed, 9 insertions(+)
|
|
|
|
diff --git a/telnetd/slc.c b/telnetd/slc.c
|
|
index f45e7725..2dfef22f 100644
|
|
--- a/telnetd/slc.c
|
|
+++ b/telnetd/slc.c
|
|
@@ -162,6 +162,9 @@ get_slc_defaults (void)
|
|
void
|
|
add_slc (char func, char flag, cc_t val)
|
|
{
|
|
+ /* Do nothing if the entire triplet cannot fit in the buffer. */
|
|
+ if (slcbuf + sizeof slcbuf - slcptr <= 6)
|
|
+ return;
|
|
|
|
if ((*slcptr++ = (unsigned char) func) == 0xff)
|
|
*slcptr++ = 0xff;
|