From nobody Tue Apr 29 18:30:52 2025
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Zn85S4xFyz5vMt8;
	Tue, 29 Apr 2025 18:30:52 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Zn85S2Jvqz4HsS;
	Tue, 29 Apr 2025 18:30:52 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1745951452;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=28tf5HZ9MRv36/MkjIdrfF4WtehkSbLKjOKPtNY6yTk=;
	b=wXrhVaHnkXPi9snFjCnbrhc3tJpjttBUoR37YsirKMXpHd6Lw7ejd3vUTEBs/KR6GQaPwK
	06/NxZ5Rx72gGV9gq3YPmA22CiKq5I88CNPBnC3bzhYM4GTDNECI7oijBOvtgLne2seAzq
	xFqWPBbJ2MXa15xRtLV7LWyWrJSksQjevTv3duXD0bZJ66fgce10MO5zA4yIMj68Yh7hta
	eu6RZM4Tqh98m+d4/mZT3r5S/luFsER79TvdECF0NezNcGuZOxd/xlpGOzDInHM02QNViL
	B0sD1i8Cj5j6F9PEYAR5/uHjUqDRNkYsJndtAb1p3oSyfndbh1wTDXAyAOEUyQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1745951452; a=rsa-sha256; cv=none;
	b=S+1ta7fUZVIOl5YA7C5cJtAun3pkUfuygWl81PZn0UjfaRg2VmiSC4SNIxaSH/VgiPlyOr
	Mpn/mHm9t36rpWuvkFO/74BQsbgeeNEKHkelsbq3yo9QO5tZjLZGjxjQT+4urvihivDnWd
	LzQRZBp7D9M3nw5Ldj8vaANTrFlAAWbJqrg7D8SUM1hNzw2sJ5MxGiCzPz3PBifJU+8gOf
	tDMzTr8b38J4Jl3t3bR12yaeU0SiSnC6SG9sJcyewyM5Sa86rpMZIzjhfnPxbp+wJjLX5U
	YMmSuZJMOWIkX1uGVxmCCk+kjIcvCT2h6DzpeZQ9dtznt6daKRcZCgheGXsSyQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1745951452;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=28tf5HZ9MRv36/MkjIdrfF4WtehkSbLKjOKPtNY6yTk=;
	b=qlEPT5NzbXaObG7JQq36BnddLUzHNXl5nXOBNYgmHQahg7t74SoZ+GuX7t/9+sEUc/WBAu
	QH/JzC0P1UFmBph9198MG8yfOBtjdIxAsy3J5a7GWu47w8e3ODSufM+0BDxtNLARS44JaD
	YAseTI5RYYeuUGZozTmUFguOIrJH4uBZve/LCAaNJ5hi+BAMipRoABFLxIsUIx6nJAFn/Q
	yMsdLDp1doBRLKNakF8ynw5McQE1DX+tRdgW64Al8+mZRXWeQpD/ATykj5LkRcQ2GpcfRu
	PgRNiZ5GI3fbt+Dv013y97aOmZim9ouHIII3knelqVmNkWuFGzWju4L9++Jmtg==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Zn85S1QCqzY1Q;
	Tue, 29 Apr 2025 18:30:52 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 53TIUqgY023018;
	Tue, 29 Apr 2025 18:30:52 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 53TIUqor023015;
	Tue, 29 Apr 2025 18:30:52 GMT
	(envelope-from git)
Date: Tue, 29 Apr 2025 18:30:52 GMT
Message-Id: <202504291830.53TIUqor023015@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: John Baldwin <jhb@FreeBSD.org>
Subject: git: 7485e6a867ab - stable/14 - telnet: Prevent buffer
  overflow in the user prompt for SRA
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-branches@freebsd.org
Sender: owner-dev-commits-src-branches@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: jhb
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/14
X-Git-Reftype: branch
X-Git-Commit: 7485e6a867ab2f7db87536af4f44fcae34c0f6de
Auto-Submitted: auto-generated

The branch stable/14 has been updated by jhb:

URL: https://cgit.FreeBSD.org/src/commit/?id=7485e6a867ab2f7db87536af4f44fcae34c0f6de

commit 7485e6a867ab2f7db87536af4f44fcae34c0f6de
Author:     John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2025-04-16 13:41:03 +0000
Commit:     John Baldwin <jhb@FreeBSD.org>
CommitDate: 2025-04-29 14:45:52 +0000

    telnet: Prevent buffer overflow in the user prompt for SRA
    
    The Secure RPC authenticator for telnet prompts the local user for the
    username to use for authentication.  Previously it was using sprintf()
    into a buffer of 256 bytes, but the username received over the wire
    can be up to 255 bytes long which would overflow the prompt buffer.
    Fix this in two ways: First, use snprintf() and check for overflow.
    If the prompt buffer overflows, fail authentication without prompting
    the user.  Second, add 10 bytes to the buffer size to account for the
    overhead of the prompt so that a maximally sized username fits.
    
    While here, replace a bare 255 in the subsequent telnet_gets call with
    an expression using sizeof() the relevant buffer.
    
    PR:             270263
    Reported by:    Robert Morris <rtm@lcs.mit.edu>
    Tested on:      CHERI
    Reviewed by:    emaste
    Differential Revision:  https://reviews.freebsd.org/D49832
    
    (cherry picked from commit 5737c2ae06e143e49496df2ab5a64f76d5456012)
---
 contrib/telnet/libtelnet/sra.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/contrib/telnet/libtelnet/sra.c b/contrib/telnet/libtelnet/sra.c
index abacda12b495..3531c703a3d0 100644
--- a/contrib/telnet/libtelnet/sra.c
+++ b/contrib/telnet/libtelnet/sra.c
@@ -241,9 +241,10 @@ bad:
 void
 sra_reply(Authenticator *ap, unsigned char *data, int cnt)
 {
-	char uprompt[256],tuser[256];
+	char uprompt[256 + 10];	/* +10 for "User (): " */
+	char tuser[256];
 	Session_Key skey;
-	size_t i;
+	size_t i, len;
 
 	if (cnt-- < 1)
 		return;
@@ -266,8 +267,15 @@ sra_reply(Authenticator *ap, unsigned char *data, int cnt)
 
 		/* encode user */
 		memset(tuser,0,sizeof(tuser));
-		sprintf(uprompt,"User (%s): ",UserNameRequested);
-		telnet_gets(uprompt,tuser,255,1);
+		len = snprintf(uprompt, sizeof(uprompt), "User (%s): ",
+		    UserNameRequested);
+		if (len >= sizeof(uprompt)) {
+			if (auth_debug_mode) {
+				printf("SRA user name too long\r\n");
+			}
+			return;
+		}
+		telnet_gets(uprompt, tuser, sizeof(tuser) - 1, 1);
 		if (tuser[0] == '\n' || tuser[0] == '\r' )
 			strcpy(user,UserNameRequested);
 		else {