|
midrange.com
This code in telnetstr.c is broken:
static char *getTelOpt(int what)
{
char *wcp, wbuf[11];
switch (what) {
case TERMINAL_TYPE:
wcp = "<TERMTYPE>";
break;
case END_OF_RECORD:
wcp = "<END_OF_REC>";
break;
case TRANSMIT_BINARY:
wcp = "<BINARY>";
break;
case NEW_ENVIRON:
wcp = "<NEWENV>";
break;
case EOR:
wcp = "<EOR>";
break;
default:
sprintf(wcp=wbuf, "<%02X>", what);
break;
}
return wcp;
}
Here wbuf[] get's dynamically allocated on the string. As soon, as the
function returns, wcp[] might be overwritten. Better do this:
{
char *wcp
static char wbuf[10];
...
default:
snprintf(wcp=wbuf, sizeof(wbuf), "<%02X>", what);
"snprintf", btw, is the 21st century version of "sprintf" :-)
"what" is a value that can be sent by the host, so we don't really know
how large or small it is. A malicious host could put 0xFFFFFFFF into
it. And because the "02" of "%02X" is just a hint, we could get back 11
characters plus a terminating NUL sign from sprintf. So need to reserve
11 characters, not 10. If we won't, we'd overwrite the stack. However,
snprintf won't overwrite the stack anyway, so it add's a little more
security.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
