Bug 1415706 - telnet dumps core with certain combination of parameters
Summary: telnet dumps core with certain combination of parameters
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: telnet
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Michal Ruprich
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-23 13:30 UTC by Michal Ruprich
Modified: 2017-01-25 10:46 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-01-25 10:46:54 UTC
Type: Bug


Attachments (Terms of Use)
patch (302 bytes, patch)
2017-01-23 13:30 UTC, Michal Ruprich
no flags Details | Diff

Description Michal Ruprich 2017-01-23 13:30:44 UTC
Created attachment 1243603 [details]
patch

Description of problem:
When using the -4 or -6 parameter together with -l and -b, telnet results in a core dump. Telnet uses static array of pointers to save these parameters. When the -4/-6 parameter was added, the array stayed the same size which results in buffer overflow. Expanding the array by one element should resolve the problem. 

Don't mind the obviously non-existing alias and user in the example. This bug is strictly about the number of parameters in this particular command.

Version-Release number of selected component (if applicable):
telnet-0.17-65.fc24.x86_64

How reproducible:
always

Steps to Reproduce:
telnet -l user -b alias -4 mx2.skymesh.com.au

 -- OR --

telnet -l user -b alias -6 mx2.skymesh.com.au

Actual results:
Trying 180.181.128.97...
Couldn't get address for alias
telnet: alias: Name or service not known: Success
*** stack smashing detected ***: telnet terminated
======= Backtrace: =========
/lib64/libc.so.6(+0x7570b)[0x7f755594b70b]
/lib64/libc.so.6(__fortify_fail+0x37)[0x7f75559eae67]
/lib64/libc.so.6(__fortify_fail+0x0)[0x7f75559eae30]
telnet(+0x498f)[0x55920af7d98f]
/lib64/libc.so.6(__libc_start_main+0xf1)[0x7f75558f6731]
telnet(+0x49b9)[0x55920af7d9b9]
======= Memory map: ========
55920af79000-55920af8f000 r-xp 00000000 fd:01 2780097                    /usr/bin/telnet

...

7ffff677d000-7ffff677f000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted (core dumped)

Expected results:
Trying 180.181.128.97...
Couldn't get address for alias
telnet: alias: Name or service not known: Success


Note You need to log in before you can comment on or make changes to this bug.