Subject: telnet/tn3270 buffer overflows found
To: None <current-users@netbsd.org>
From: Jeremy C. Reed <reed@reedmedia.net>
List: current-users
Date: 01/18/2001 18:37:08
This is some notes from some research. I still need to send-pr these if
applicable. This is 1.5.1_ALPHA (i386).
Seg faults with 99999-character long argument.
/usr/bin/telnet
Program received signal SIGSEGV, Segmentation fault.
0x482032a6 in strcpy ()
#0 0x482032a6 in strcpy ()
#1 0x805a6a0 in dst_realm_sz ()
#2 0x804da2c in telnet_spin ()
#3 0x804a2e5 in encrypt_end ()
/usr/bin/tn3270
Program received signal SIGSEGV, Segmentation fault.
0x480f42a6 in strcpy ()
#0 0x480f42a6 in strcpy ()
#1 0x8067c00 in VB ()
#2 0x8051574 in dladdr ()
#3 0x8049f9d in getsockname ()
Then rebuilt it with "-g" debugging.
(By the way: what is the official NetBSD way of turing this on??)
#0 0x480f42a6 in strcpy ()
#1 0x8067be0 in _hostname ()
#2 0x8051574 in main (argc=1, argv=0xbfbe5528)
at /usr/src/usr.bin/tn3270/tn3270/../../telnet/main.c:356
#3 0x8049f9d in ___start ()
I am not sure how to read this, but telnet/main.c has:
#if defined(TN3270) && defined(unix)
transcom = tline;
(void)strcpy(transcom, optarg);
#else
Jeremy C. Reed
http://www.reedmedia.net/