upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-02-18 18:20:26 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
opnsense-src/contrib/telnet
History
John Baldwin 7485e6a867 telnet: Prevent buffer overflow in the user prompt for SRA 
The Secure RPC authenticator for telnet prompts the local user for the
username to use for authentication.  Previously it was using sprintf()
into a buffer of 256 bytes, but the username received over the wire
can be up to 255 bytes long which would overflow the prompt buffer.
Fix this in two ways: First, use snprintf() and check for overflow.
If the prompt buffer overflows, fail authentication without prompting
the user.  Second, add 10 bytes to the buffer size to account for the
overhead of the prompt so that a maximally sized username fits.

While here, replace a bare 255 in the subsequent telnet_gets call with
an expression using sizeof() the relevant buffer.

PR:		270263
Reported by:	Robert Morris <rtm@lcs.mit.edu>
Tested on:	CHERI
Reviewed by:	emaste
Differential Revision:	https://reviews.freebsd.org/D49832

(cherry picked from commit 5737c2ae06e143e49496df2ab5a64f76d5456012)
2025-04-29 10:45:52 -04:00
..
arpa telnet: remove 3rd clause from Berkeley copyrights 2019-08-15 13:27:57 +00:00
libtelnet telnet: Prevent buffer overflow in the user prompt for SRA 2025-04-29 10:45:52 -04:00
telnet Fix snprintf truncation in telnet 2023-12-24 14:59:34 +01:00