From 4c1e6d32ba6e9a14937a83f0d9375ef4d0b28057 Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Wed, 15 Nov 2023 08:26:09 -0500 Subject: netkit: Drop old and no upstream Signed-off-by: Armin Kuster Signed-off-by: Khem Raj --- ...ility.c-Fix-buffer-overflow-in-netoprintf.patch | 56 ---------------------- 1 file changed, 56 deletions(-) delete mode 100644 meta-networking/recipes-netkit/netkit-telnet/files/0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch (limited to 'meta-networking/recipes-netkit/netkit-telnet/files/0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch') diff --git a/meta-networking/recipes-netkit/netkit-telnet/files/0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch b/meta-networking/recipes-netkit/netkit-telnet/files/0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch deleted file mode 100644 index 8f983e40ab..0000000000 --- a/meta-networking/recipes-netkit/netkit-telnet/files/0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 9c81c8e5bc7782e8ae12c078615abc3c896059f2 Mon Sep 17 00:00:00 2001 -From: Julius Hemanth Pitti -Date: Tue, 14 Jul 2020 22:34:19 -0700 -Subject: [PATCH] telnetd/utility.c: Fix buffer overflow in netoprintf - -As per man page of vsnprintf, when formated -string size is greater than "size"(2nd argument), -then vsnprintf returns size of formated string, -not "size"(2nd argument). - -netoprintf() was not handling a case where -return value of vsnprintf is greater than -"size"(2nd argument), results in buffer overflow -while adjusting "nfrontp" pointer to point -beyond "netobuf" buffer. - -Here is one such case where "nfrontp" -crossed boundaries of "netobuf", and -pointing to another global variable. - -(gdb) p &netobuf[8255] -$5 = 0x55c93afe8b1f "" -(gdb) p nfrontp -$6 = 0x55c93afe8c20 "\377" -(gdb) p &terminaltype -$7 = (char **) 0x55c93afe8c20 -(gdb) - -This resulted in crash of telnetd service -with segmentation fault. - -Though this is DoS security bug, I couldn't -find any CVE ID for this. - -Upstream-Status: Pending - -Signed-off-by: Julius Hemanth Pitti ---- - telnetd/utility.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/telnetd/utility.c b/telnetd/utility.c -index b9a46a6..4811f14 100644 ---- a/telnetd/utility.c -+++ b/telnetd/utility.c -@@ -66,7 +66,7 @@ netoprintf(const char *fmt, ...) - len = vsnprintf(nfrontp, maxsize, fmt, ap); - va_end(ap); - -- if (len<0 || len==maxsize) { -+ if (len<0 || len>=maxsize) { - /* didn't fit */ - netflush(); - } --- -2.19.1 -- cgit v1.2.3-54-g00ecf