File CVE-2022-39028.patch of Package telnet.26550

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2022-39028.patch of Package telnet.26550

Description: Fix remote DoS vulnerability in inetutils-telnetd
 This is caused by a crash by a NULL pointer dereference when sending the
 byte sequences «0xff 0xf7» or «0xff 0xf8».
Authors:
 Pierre Kim (original patch),
 Alexandre Torres (original patch),
 Erik Auerswald <auerswal@unix-ag.uni-kl.de> (adapted patch),
Reviewed-by: Erik Auerswald <auerswal@unix-ag.uni-kl.de>
Origin: upstream
Ref: https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html
Forwarded: https://lists.gnu.org/archive/html/bug-inetutils/2022-08/msg00002.html
Last-Update: 2022-08-28

diff --git a/telnetd/state.c b/telnetd/state.c
index ffc6cbaf..c2d760f8 100644
--- a/telnetd/state.c
+++ b/telnetd/state.c
@@ -185,16 +185,22 @@ telrcv (void)
 			case EC:
 			case EL:
 			    {
-				cc_t ch;
+				cc_t ch = (cc_t) (_POSIX_VDISABLE);
 
 				DIAG(TD_OPTIONS,
 					printoption("td: recv IAC", c));
 				ptyflush();	/* half-hearted */
 				init_termbuf();
 				if (c == EC)
-					ch = *slctab[SLC_EC].sptr;
+				  {
+				    if (slctab[SLC_EC].sptr)
+				      ch = *slctab[SLC_EC].sptr;
+				  }
 				else
-					ch = *slctab[SLC_EL].sptr;
+				  {
+				    if (slctab[SLC_EL].sptr)
+				      ch = *slctab[SLC_EL].sptr;
+				  }
 				if (ch != (cc_t)(_POSIX_VDISABLE))
 					*pfrontp++ = (unsigned char)ch;
 				break;

Places

File CVE-2022-39028.patch of Package telnet.26550

Places