Re: telnet: Buffer Overrun by unchecked environment variables
* Josh Martin <jmartin@columbiaservices.net> [040810 10:08]:
> Although this should never actually happen, if you set your environment
> variable HOME to an extremely large string a buffer overflow will occur upon
> connecting to a server using telnet. I was not able to overwrite 'eip'
> but I have included a patch that fixes this problem.
[some context for the patch]
void cmdrc(const char *m1, const char *m2, const char *port) {
static char *rcname = 0;
static char rcbuf[128];
if (skiprc) return;
readrc(m1, m2, port, "/etc/telnetrc");
> --- commands.orig.cc 2004-08-10 09:50:44.000000000 -0700
> +++ commands.cc 2004-08-10 09:51:07.000000000 -0700
> @@ -2148,7 +2148,7 @@
> if (rcname == 0) {
> rcname = getenv("HOME");
> if (rcname)
> - strcpy(rcbuf, rcname);
> + strncpy(rcbuf, rcname, 127);
> else
> rcbuf[0] = '\0';
> strcat(rcbuf, "/.telnetrc");
I may be utterly confused, but that patch does look quite strange.
It may make it near to impossible to introduce code, but only reduces
the problem: strncpy will not '\0'-terminate the string, so that the
following "/.telnetrc" will be written to some random position.
and even if there was some termination, 127 chars plus 10 chars
for "/.telnetrc" is still more than the reserved 128. (thus when
having $HOME 116 to 126 chars one could even control where the
/.telnetrc letters get to).
Hochachtungsvoll,
Bernhard R. Link
Reply to: