1415706 – telnet dumps core with certain combination of parameters

Bug 1415706 - telnet dumps core with certain combination of parameters

Summary: telnet dumps core with certain combination of parameters

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	telnet
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Michal Ruprich
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-01-23 13:30 UTC by Michal Ruprich
Modified:	2017-01-25 10:46 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-01-25 10:46:54 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
patch (302 bytes, patch) 2017-01-23 13:30 UTC, Michal Ruprich	no flags	Details \| Diff
View All

Description Michal Ruprich 2017-01-23 13:30:44 UTC

Created attachment 1243603 [details]
patch

Description of problem:
When using the -4 or -6 parameter together with -l and -b, telnet results in a core dump. Telnet uses static array of pointers to save these parameters. When the -4/-6 parameter was added, the array stayed the same size which results in buffer overflow. Expanding the array by one element should resolve the problem. 

Don't mind the obviously non-existing alias and user in the example. This bug is strictly about the number of parameters in this particular command.

Version-Release number of selected component (if applicable):
telnet-0.17-65.fc24.x86_64

How reproducible:
always

Steps to Reproduce:
telnet -l user -b alias -4 mx2.skymesh.com.au

 -- OR --

telnet -l user -b alias -6 mx2.skymesh.com.au

Actual results:
Trying 180.181.128.97...
Couldn't get address for alias
telnet: alias: Name or service not known: Success
*** stack smashing detected ***: telnet terminated
======= Backtrace: =========
/lib64/libc.so.6(+0x7570b)[0x7f755594b70b]
/lib64/libc.so.6(__fortify_fail+0x37)[0x7f75559eae67]
/lib64/libc.so.6(__fortify_fail+0x0)[0x7f75559eae30]
telnet(+0x498f)[0x55920af7d98f]
/lib64/libc.so.6(__libc_start_main+0xf1)[0x7f75558f6731]
telnet(+0x49b9)[0x55920af7d9b9]
======= Memory map: ========
55920af79000-55920af8f000 r-xp 00000000 fd:01 2780097                    /usr/bin/telnet

...

7ffff677d000-7ffff677f000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted (core dumped)

Expected results:
Trying 180.181.128.97...
Couldn't get address for alias
telnet: alias: Name or service not known: Success

Note You need to log in before you can comment on or make changes to this bug.