netkit-telnetd: Fix buffer overflow in netoprintf

netoprintf() was not handling a case where return value of vsnprintf is greater than "size"(2nd argument), results in buffer overflow while adjusting "nfrontp" pointer to point beyond "netobuf" buffer. Here is one such case where "nfrontp" crossed boundaries of "netobuf", and pointing to another global variable. (gdb) p &netobuf[8255] $5 = 0x55c93afe8b1f <netobuf+8255> "" (gdb) p nfrontp $6 = 0x55c93afe8c20 <terminaltype> "\377" (gdb) p &terminaltype $7 = (char **) 0x55c93afe8c20 <terminaltype> (gdb) This resulted in crash of telnetd service with segmentation fault. Signed-off-by: Julius Hemanth Pitti <jpitti@cisco.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 232b82afd405c526f822294509e1d32388544ed4) [appears to be CVE-2020-10188] Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Julius Hemanth Pitti <jpitti@cisco.com> 2020-07-20 15:19:46 -0700
committer: Armin Kuster <akuster808@gmail.com> 2020-07-29 22:44:52 -0700
commit: b4be735fdb1bbc97e147739c217ad5b62e74fa61 (patch)
tree: 377c34d50718c923ca6ea325da0459d1ddd2e4cb
parent: fd0d398fe70f8ea109f7a9efa5b13bfff1a70bd0 (diff)
download: meta-openembedded-b4be735fdb1bbc97e147739c217ad5b62e74fa61.tar.gz
2 files changed, 57 insertions, 0 deletions
diff --git a/meta-networking/recipes-netkit/netkit-telnet/files/0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch b/meta-networking/recipes-netkit/netkit-telnet/files/0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch
new file mode 100644
index 0000000000..8f983e40ab
--- /dev/null
+++ b/meta-networking/recipes-netkit/netkit-telnet/files/0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch
@@ -0,0 +1,56 @@
+From 9c81c8e5bc7782e8ae12c078615abc3c896059f2 Mon Sep 17 00:00:00 2001
+From: Julius Hemanth Pitti <jpitti@cisco.com>
+Date: Tue, 14 Jul 2020 22:34:19 -0700
+Subject: [PATCH] telnetd/utility.c: Fix buffer overflow in netoprintf
+As per man page of vsnprintf, when formated
+string size is greater than "size"(2nd argument),
+then vsnprintf returns size of formated string,
+not "size"(2nd argument).
+netoprintf() was not handling a case where
+return value of vsnprintf is greater than
+"size"(2nd argument), results in buffer overflow
+while adjusting "nfrontp" pointer to point
+beyond "netobuf" buffer.
+Here is one such case where "nfrontp"
+crossed boundaries of "netobuf", and
+pointing to another global variable.
+(gdb) p &netobuf[8255]
+$5 = 0x55c93afe8b1f <netobuf+8255> ""
+(gdb) p nfrontp
+$6 = 0x55c93afe8c20 <terminaltype> "\377"
+(gdb) p &terminaltype
+$7 = (char **) 0x55c93afe8c20 <terminaltype>
+(gdb)
+This resulted in crash of telnetd service
+with segmentation fault.
+Though this is DoS security bug, I couldn't
+find any CVE ID for this.
+Upstream-Status: Pending
+Signed-off-by: Julius Hemanth Pitti <jpitti@cisco.com>
+---
+ telnetd/utility.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/telnetd/utility.c b/telnetd/utility.c
+index b9a46a6..4811f14 100644
+--- a/telnetd/utility.c
+++ b/telnetd/utility.c
+@@ -66,7 +66,7 @@ netoprintf(const char *fmt, ...)
+       len = vsnprintf(nfrontp, maxsize, fmt, ap);
+       va_end(ap);
+ 
+-      if (len<0 || len==maxsize) {
+      if (len<0 || len>=maxsize) {
+         /* didn't fit */
+         netflush();
+       }
+--
+2.19.1
diff --git a/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb b/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb
index 0e92add633..08dd532b62 100644
--- a/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb
+++ b/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb
@@ -13,6 +13,7 @@ SRC_URI = "http://ftp.linux.org.uk/pub/linux/Networking/netkit/${BP}.tar.gz \
           file://0001-telnet-telnetd-Fix-print-format-strings.patch \
           file://0001-telnet-telnetd-Fix-deadlock-on-cleanup.patch \
           file://CVE-2020-10188.patch \
+           file://0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch \
           "
 UPSTREAM_CHECK_URI = "${DEBIAN_MIRROR}/main/n/netkit-telnet/"
author	Julius Hemanth Pitti <jpitti@cisco.com>	2020-07-20 15:19:46 -0700
committer	Armin Kuster <akuster808@gmail.com>	2020-07-29 22:44:52 -0700
commit	b4be735fdb1bbc97e147739c217ad5b62e74fa61 (patch)
tree	377c34d50718c923ca6ea325da0459d1ddd2e4cb
parent	fd0d398fe70f8ea109f7a9efa5b13bfff1a70bd0 (diff)
download	meta-openembedded-b4be735fdb1bbc97e147739c217ad5b62e74fa61.tar.gz

diff --git a/meta-networking/recipes-netkit/netkit-telnet/files/0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch b/meta-networking/recipes-netkit/netkit-telnet/files/0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch new file mode 100644 index 0000000000..8f983e40ab --- /dev/null +++ b/meta-networking/recipes-netkit/netkit-telnet/files/0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch
@@ -0,0 +1,56 @@
		1	From 9c81c8e5bc7782e8ae12c078615abc3c896059f2 Mon Sep 17 00:00:00 2001
		2	From: Julius Hemanth Pitti <jpitti@cisco.com>
		3	Date: Tue, 14 Jul 2020 22:34:19 -0700
		4	Subject: [PATCH] telnetd/utility.c: Fix buffer overflow in netoprintf
		5
		6	As per man page of vsnprintf, when formated
		7	string size is greater than "size"(2nd argument),
		8	then vsnprintf returns size of formated string,
		9	not "size"(2nd argument).
		10
		11	netoprintf() was not handling a case where
		12	return value of vsnprintf is greater than
		13	"size"(2nd argument), results in buffer overflow
		14	while adjusting "nfrontp" pointer to point
		15	beyond "netobuf" buffer.
		16
		17	Here is one such case where "nfrontp"
		18	crossed boundaries of "netobuf", and
		19	pointing to another global variable.
		20
		21	(gdb) p &netobuf[8255]
		22	$5 = 0x55c93afe8b1f <netobuf+8255> ""
		23	(gdb) p nfrontp
		24	$6 = 0x55c93afe8c20 <terminaltype> "\377"
		25	(gdb) p &terminaltype
		26	$7 = (char **) 0x55c93afe8c20 <terminaltype>
		27	(gdb)
		28
		29	This resulted in crash of telnetd service
		30	with segmentation fault.
		31
		32	Though this is DoS security bug, I couldn't
		33	find any CVE ID for this.
		34
		35	Upstream-Status: Pending
		36
		37	Signed-off-by: Julius Hemanth Pitti <jpitti@cisco.com>
		38	---
		39	telnetd/utility.c \| 2 +-
		40	1 file changed, 1 insertion(+), 1 deletion(-)
		41
		42	diff --git a/telnetd/utility.c b/telnetd/utility.c
		43	index b9a46a6..4811f14 100644
		44	--- a/telnetd/utility.c
		45	+++ b/telnetd/utility.c
		46	@@ -66,7 +66,7 @@ netoprintf(const char *fmt, ...)
		47	len = vsnprintf(nfrontp, maxsize, fmt, ap);
		48	va_end(ap);
		49
		50	- if (len<0 \|\| len==maxsize) {
		51	+ if (len<0 \|\| len>=maxsize) {
		52	/* didn't fit */
		53	netflush();
		54	}
		55	--
		56	2.19.1


diff --git a/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb b/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb index 0e92add633..08dd532b62 100644 --- a/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb +++ b/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb
@@ -13,6 +13,7 @@ SRC_URI = "http://ftp.linux.org.uk/pub/linux/Networking/netkit/${BP}.tar.gz \
13	file://0001-telnet-telnetd-Fix-print-format-strings.patch \	13	file://0001-telnet-telnetd-Fix-print-format-strings.patch \
14	file://0001-telnet-telnetd-Fix-deadlock-on-cleanup.patch \	14	file://0001-telnet-telnetd-Fix-deadlock-on-cleanup.patch \
15	file://CVE-2020-10188.patch \	15	file://CVE-2020-10188.patch \
		16	file://0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch \
16	"	17	"
17		18
18	UPSTREAM_CHECK_URI = "${DEBIAN_MIRROR}/main/n/netkit-telnet/"	19	UPSTREAM_CHECK_URI = "${DEBIAN_MIRROR}/main/n/netkit-telnet/"