[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [bug-inetutils] Buffer overflow for gnu inetutils telnetd
|
From: |
Chris Severance |
|
Subject: |
Re: [bug-inetutils] Buffer overflow for gnu inetutils telnetd |
|
Date: |
Tue, 11 Jul 2017 02:21:16 -0400 |
There's nothing to reproduce. Your compile settings and glibc are
allowing the buffer overflows because they don't overflow enough to get
noticed. Compile with -Wformat-overflow=2 and the errors are all listed
out.
telnetd.c: In function 'telnetd_run':
telnetd.c:711:33: warning: '__builtin___sprintf_chk' writing a
terminating nul past the end of the destination [-Wformat-overflow=]
sprintf (data, "%c%c%c%c%c%c",
^
In file included from /usr/include/stdio.h:939:0,
from ../lib/stdio.h:43,
from telnetd.h:25,
from telnetd.c:23:
/usr/include/bits/stdio2.h:33:10: note: '__builtin___sprintf_chk' output
7 bytes into a destination of size 6
return __builtin___sprintf_chk (__s, __USE_FORTIFY_LEVEL - 1,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
__bos (__s), __fmt, __va_arg_pack ());
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Unfortunately gcc 7.1.1 -stack-protector is also bugged and can't always
detect this.
On Mon, Jul 10, 2017, at 04:34 PM, Alfred M. Szmidt wrote:
> 2017-02-21 18:50 Mats Erik Andersson o telnetd: Debugging of line mode
> options.
> 9db2d39777f8d37496265fc732e640a2ea0c9a29
>
> This new code is causing a buffer overflow. I can immediately see that
> char data[6] doesn't include space for the trailing \0. I tried
> boosting
> to "char data[1000]" and that stopped the overflow but then it output
> junk characters in place of the OS greeting.
>
> I can't reproduce the behaviour, do you have a note of your setup?
>