mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2025-07-19 15:29:08 +02:00
232b82afd4
netoprintf() was not handling a case where return value of vsnprintf is greater than "size"(2nd argument), results in buffer overflow while adjusting "nfrontp" pointer to point beyond "netobuf" buffer. Here is one such case where "nfrontp" crossed boundaries of "netobuf", and pointing to another global variable. (gdb) p &netobuf[8255] $5 = 0x55c93afe8b1f <netobuf+8255> "" (gdb) p nfrontp $6 = 0x55c93afe8c20 <terminaltype> "\377" (gdb) p &terminaltype $7 = (char **) 0x55c93afe8c20 <terminaltype> (gdb) This resulted in crash of telnetd service with segmentation fault. Signed-off-by: Julius Hemanth Pitti <jpitti@cisco.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> |
||
|---|---|---|
| .. | ||
| 0001-telnet-telnetd-Fix-deadlock-on-cleanup.patch | ||
| 0001-telnet-telnetd-Fix-print-format-strings.patch | ||
| 0001-telnetd-utility.c-Fix-buffer-overflow-in-netoprintf.patch | ||
| cross-compile.patch | ||
| CVE-2020-10188.patch | ||
| telnet-xinetd | ||
| To-aviod-buffer-overflow-in-telnet.patch | ||
| Warning-fix-in-the-step-of-install.patch | ||