Re: telnet: Handle integer overflow gracefully.

bug-inetutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: telnet: Handle integer overflow gracefully.

From:	Erik Auerswald
Subject:	Re: telnet: Handle integer overflow gracefully.
Date:	Mon, 26 Aug 2024 10:19:42 +0200

Hi all,

On Fri, Aug 23, 2024 at 10:56:30PM -0700, Collin Funk wrote:

> I've pushed the attached patch removing an integer overflow from telnet.
> 
> The overflow occurs went sending 'send dont <value>' but the value
> exceeds INT_MAX.

I was curious if the original integer overflow possibility could lead
to problems.  The code already attempted to detect out-of-range values
for the "send do/dont/will/wont <value>" commands, but this did not work
reliably.  At least on Ubuntu GNU/Linux 20.04 on x86-64 one could crash
the GNU Inetutils telnet client with some values greater than INT_MAX:

    $ uname -p
    x86_64
    $ gcc --version | head -n1
    gcc (Ubuntu 9.4.0-1ubuntu1~20.04.2) 9.4.0
    $ jobs
    [1]+  Running                 nc -dkln 127.0.0.1 7777 > /dev/null 2>&1 &
    $ git log -n1 --pretty=oneline
    e29e76b37b31eef27c5d53cc87306e7b80376762 (HEAD -> master, origin/master, 
origin/HEAD) ftp: Cleanup port number to string conversion.
    $ echo %send do $(echo 2^31 | bc) | ./telnet/telnet --escape=% 127.0.0.1 
7777
    Telnet escape character is '%'.
    Trying 127.0.0.1...
    Connected to 127.0.0.1.
    Escape character is '%'.

    telnet> send do 2147483648
    Segmentation fault (core dumped)

This wrong memory access happens in the "send_do()" function from
telnet/telnet.c where the integer value is used to index into an array
of size 256.  This is similar for "send_dont()", "send_will()", and
"send_wont()" from the same file.

This no longer happens with the integer overflow fix in commit
a6d9848a32fafa763548e54b44cb094abdac915d:

    $ echo %send do $(echo 2^31 | bc) | ./telnet/telnet --escape=% 127.0.0.1 
7777
    Telnet escape character is '%'.
    Trying 127.0.0.1...
    Connected to 127.0.0.1.
    Escape character is '%'.

    telnet> send do 2147483648
    '2147483648': bad value ('send do ?' for help).
    telnet> 
    Connection closed.

Br,
Erik

[Prev in Thread]

Current Thread

[Next in Thread]

telnet: Handle integer overflow gracefully., Collin Funk, 2024/08/24
- Re: telnet: Handle integer overflow gracefully., Erik Auerswald, 2024/08/25
  - Re: telnet: Handle integer overflow gracefully., Simon Josefsson, 2024/08/25
    - Re: telnet: Handle integer overflow gracefully., Erik Auerswald, 2024/08/25
    - Re: telnet: Handle integer overflow gracefully., Collin Funk, 2024/08/25
    - Re: telnet: Handle integer overflow gracefully., Collin Funk, 2024/08/25
    - Re: telnet: Handle integer overflow gracefully., Erik Auerswald, 2024/08/26
    - Re: telnet: Handle integer overflow gracefully., Collin Funk, 2024/08/27
    - Re: telnet: Handle integer overflow gracefully., Erik Auerswald, 2024/08/31
- Re: telnet: Handle integer overflow gracefully., Erik Auerswald <=

Prev by Date: Re: telnet: Handle integer overflow gracefully.
Next by Date: Re: telnet: Handle integer overflow gracefully.
Previous by thread: Re: telnet: Handle integer overflow gracefully.
Next by thread: [PATCH] Test telnet integer overflow fix
Index(es):
- Date
- Thread