From 7f544c44dd4ba1ad53da0547ec92d178c7678edc Mon Sep 17 00:00:00 2001 Message-Id: <7f544c44dd4ba1ad53da0547ec92d178c7678edc.1645978829.git.auerswal@unix-ag.uni-kl.de> In-Reply-To: References: <20220221180158.GA18107@unix-ag.uni-kl.de> From: Erik Auerswald Date: Sun, 27 Feb 2022 14:30:40 +0100 Subject: [PATCH 2/3] telnet: Fix TTYPE subnegotiation off-by-one error. To: ams@gnu.org Cc: bug-inetutils@gnu.org, jmayer@loplof.de Fix off-by-one error in Terminal-Type option subnegotiation if the TERM variable has exactly 44 bytes. In this case the SE byte (end of subnegotiation parameters) was replaced by a NUL byte. This concerns the CVE-2019-0053 fixes. Reported by Erik Auerswald in . * NEWS: Mention fix. * telnet/telnet.c (suboption): Adjust length check to account for NUL byte written by snprintf(). --- NEWS | 5 +++++ telnet/telnet.c | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 166ca457..319bb2f9 100644 --- a/NEWS +++ b/NEWS @@ -11,6 +11,11 @@ Abort subnegotiation of X Display Location Option with WON'T when DISPLAY value is too large for buffer. Reported by Joerg Mayer in . +Fix off-by-one error in Terminal-Type option subnegotiation if the TERM +variable has exactly 44 bytes. This concerns the CVE-2019-0053 fixes. +Reported by Erik Auerswald in +. + ** Various bugs fixes, internal improvements and clean ups. Further cleanup of configure.ac, updates to modern autoconf releases, diff --git a/telnet/telnet.c b/telnet/telnet.c index 62c79653..d7e0ad8e 100644 --- a/telnet/telnet.c +++ b/telnet/telnet.c @@ -860,7 +860,7 @@ suboption (void) name = gettermname (); len = strlen (name) + 4 + 2; - if ((len < NETROOM ()) && (len <= (int) sizeof (temp))) + if ((len < NETROOM ()) && (len < (int) sizeof (temp))) { snprintf ((char *) temp, sizeof (temp), "%c%c%c%c%s%c%c", IAC, SB, TELOPT_TTYPE, TELQUAL_IS, -- 2.17.1