Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 30 Sep 2022 09:55:27 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 266719] telnetd crashes if it receives IAC EC at session start
Message-ID:  <bug-266719-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D266719

            Bug ID: 266719
           Summary: telnetd crashes if it receives IAC EC at session start
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu
 Attachment #236964 text/plain
         mime type:

Created attachment 236964
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D236964&action=
=3Dedit
crash telnetd with IAC EC

If telnetd receives IAC EC (erase), telrcv() dereferences an sptr:

                                        ch =3D *slctab[SLC_EC].sptr;

However, slctab[] is initialized only after telnetd asks the client
for the terminal type. That is, doit() calls getterminaltype() before
calling telnet(); and telnet() calls get_slc_defaults() which
initializes slctab[]. So if the client sends IAC EC too early in the
session, telnetd will crash.

I've attached a demo:

% cc telnetd2a.c
% ./a.out

gdb on telnetd says:

Program received signal SIGSEGV, Segmentation fault.
Address not mapped to object.
0x000000000102c1dc in telrcv () at /usr/src/contrib/telnet/telnetd/state.c:=
224
224                                     if (c =3D=3D EC)
(gdb) where
#0  0x000000000102c1dc in telrcv ()
    at /usr/src/contrib/telnet/telnetd/state.c:224
#1  0x0000000001030974 in ttloop ()
    at /usr/src/contrib/telnet/telnetd/utility.c:84
#2  0x000000000102f131 in getterminaltype (name=3D<optimized out>)
    at /usr/src/contrib/telnet/telnetd/telnetd.c:481
#3  0x000000000102efd8 in doit (who=3Dwho@entry=3D0x7fffffffe790)
    at /usr/src/contrib/telnet/telnetd/telnetd.c:715
#4  0x000000000102ecb5 in main (argc=3D0, argv=3D<optimized out>)
    at /usr/src/contrib/telnet/telnetd/telnetd.c:408

FreeBSD stock14 14.0-CURRENT FreeBSD 14.0-CURRENT #3 main-n258027-c9baa9747=
17a:
Thu Sep 15 20:02:51 AST 2022=20=20=20=20
root@stock14:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-266719-227>