bug-inetutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug-inetutils] telnetd bug: Buffer overflow when linked against GNU ter


From: Petr Malát
Subject: [bug-inetutils] telnetd bug: Buffer overflow when linked against GNU termcap
Date: Thu, 23 Aug 2012 20:28:13 +0200

Hi,
I found a problem in terminaltypeok() function, which calls tgetent()
with 1kB buffer. This is fine, if telnetd is linked against ncurses,
but if it is linked against GNU termcap, there is a buffer overflow
for xterm (and maybe other) terminal type, which requires 2030 bytes
and telnetd crashes. Documentation of GNU termcap proposes making this
buffer 2kB (see
http://www.gnu.org/software/termutils/manual/termcap-1.3/html_mono/termcap.html#SEC4).

I hope this is my last telnet issue :-)
  Petr


--- telnetd/utility.c   2012-08-23 20:20:41.000000000 +0200
+++ telnetd/utility.c     2012-08-23 20:22:19.540859145 +0200
@@ -843,7 +843,7 @@ getterminaltype (char *user_name)
 int
 terminaltypeok (char *s)
 {
-  char buf[1024];
+  char buf[2048];

   if (terminaltype == NULL)
     return 1;



reply via email to

[Prev in Thread] Current Thread [Next in Thread]