telnet: Prevent buffer overflow in the user prompt for SRA

The Secure RPC authenticator for telnet prompts the local user for the username to use for authentication. Previously it was using sprintf() into a buffer of 256 bytes, but the username received over the wire can be up to 255 bytes long which would overflow the prompt buffer. Fix this in two ways: First, use snprintf() and check for overflow. If the prompt buffer overflows, fail authentication without prompting the user. Second, add 10 bytes to the buffer size to account for the overhead of the prompt so that a maximally sized username fits. While here, replace a bare 255 in the subsequent telnet_gets call with an expression using sizeof() the relevant buffer. PR: 270263 Reported by: Robert Morris <rtm@lcs.mit.edu> Tested on: CHERI Reviewed by: emaste Differential Revision: https://reviews.freebsd.org/D49832
2026-06-04 22:32:43 -04:00 · 2025-04-16 09:41:03 -04:00 · 2025-04-16 09:41:03 -04:00 · 5737c2ae06
commit 5737c2ae06
parent b836c229aa
1 changed files with 12 additions and 4 deletions
--- a/contrib/telnet/libtelnet/sra.c
+++ b/contrib/telnet/libtelnet/sra.c
@ -241,9 +241,10 @@ bad:
 void
 sra_reply(Authenticator *ap, unsigned char *data, int cnt)
 {
-	char uprompt[256],tuser[256];
+	char uprompt[256 + 10];	/* +10 for "User (): " */
+	char tuser[256];
 	Session_Key skey;
-	size_t i;
+	size_t i, len;

 	if (cnt-- < 1)
 		return;
@ -266,8 +267,15 @@ sra_reply(Authenticator *ap, unsigned char *data, int cnt)

 		/* encode user */
 		memset(tuser,0,sizeof(tuser));
-		sprintf(uprompt,"User (%s): ",UserNameRequested);
-		telnet_gets(uprompt,tuser,255,1);
+		len = snprintf(uprompt, sizeof(uprompt), "User (%s): ",
+		    UserNameRequested);
+		if (len >= sizeof(uprompt)) {
+			if (auth_debug_mode) {
+				printf("SRA user name too long\r\n");
+			}
+			return;
+		}
+		telnet_gets(uprompt, tuser, sizeof(tuser) - 1, 1);
 		if (tuser[0] == '\n' || tuser[0] == '\r' )
 			strcpy(user,UserNameRequested);
 		else {