Bug 1415706

Summary: telnet dumps core with certain combination of parameters
Product: [Fedora] Fedora Reporter: Michal Ruprich <mruprich>
Component: telnetAssignee: Michal Ruprich <mruprich>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: luhliari, mruprich, msekleta
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-25 10:46:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
patch none

Description Michal Ruprich 2017-01-23 13:30:44 UTC
Created attachment 1243603 [details]
patch

Description of problem:
When using the -4 or -6 parameter together with -l and -b, telnet results in a core dump. Telnet uses static array of pointers to save these parameters. When the -4/-6 parameter was added, the array stayed the same size which results in buffer overflow. Expanding the array by one element should resolve the problem. 

Don't mind the obviously non-existing alias and user in the example. This bug is strictly about the number of parameters in this particular command.

Version-Release number of selected component (if applicable):
telnet-0.17-65.fc24.x86_64

How reproducible:
always

Steps to Reproduce:
telnet -l user -b alias -4 mx2.skymesh.com.au

 -- OR --

telnet -l user -b alias -6 mx2.skymesh.com.au

Actual results:
Trying 180.181.128.97...
Couldn't get address for alias
telnet: alias: Name or service not known: Success
*** stack smashing detected ***: telnet terminated
======= Backtrace: =========
/lib64/libc.so.6(+0x7570b)[0x7f755594b70b]
/lib64/libc.so.6(__fortify_fail+0x37)[0x7f75559eae67]
/lib64/libc.so.6(__fortify_fail+0x0)[0x7f75559eae30]
telnet(+0x498f)[0x55920af7d98f]
/lib64/libc.so.6(__libc_start_main+0xf1)[0x7f75558f6731]
telnet(+0x49b9)[0x55920af7d9b9]
======= Memory map: ========
55920af79000-55920af8f000 r-xp 00000000 fd:01 2780097                    /usr/bin/telnet

...

7ffff677d000-7ffff677f000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted (core dumped)

Expected results:
Trying 180.181.128.97...
Couldn't get address for alias
telnet: alias: Name or service not known: Success