[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[BUG][PATCH] Someone described a remote DoS Vulnerability in telnetd (de

From: Erik Auerswald
Subject: [BUG][PATCH] Someone described a remote DoS Vulnerability in telnetd (dereference NULL pointer ---> SEGV)
Date: Sat, 27 Aug 2022 19:37:15 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0

Hi all,

someone has described a remote DoS vulnerability in
many telnetd implementations that I just happened to
stumble over:


The vulnerability is a NULL pointer dereference when
reading either of two two byte sequences:

    1: 0xff 0xf7
    2: 0xff 0xf8

The blog shows GNU Inetutils' telnetd as vulnerable:


The blog post analyzes the issue as using a table
before this table has been initialized:


They show a patch against the FreeBSD 13.1 version
of telnetd to fix the two code paths, i.e., check
for NULL and don't dereference a NULL pointer.  Since
that might omit setting a variable before its use,
they add an initialization for said variable.

The FreeBSD patch works on different lines than need
to be changed in GNU Inetutils' telnetd, so it cannot
apply as is.

In GNU Inetutils, the code lines to dereference table
entries without first checking for NULL are in lines
321 and 323 of file "telnetd/state.c".  The variable
"ch" declared in line 315 of this file needs to be
initialized to "(cc_t) (_POSIX_VDISABLE)", because it
may not be assigned any value if the table is not yet


line 315: https://git.savannah.gnu.org/cgit/inetutils.git/tree/telnetd/state.c#n315 line 321: https://git.savannah.gnu.org/cgit/inetutils.git/tree/telnetd/state.c#n321 line 323: https://git.savannah.gnu.org/cgit/inetutils.git/tree/telnetd/state.c#n323

I have attached a completely untested, not even compile
tested, patch to do this (just the code changes, no NEWS
or commit log or anything).  Please test before committing.

They write that they do not intend to contact the


Thus this email.


Attachment: inetutils-telnetd-EC_EL_null_deref.patch
Description: Text Data

reply via email to

[Prev in Thread] Current Thread [Next in Thread]