current-users: telnet/tn3270 buffer overflows found

Subject: telnet/tn3270 buffer overflows found
To: None <current-users@netbsd.org>
From: Jeremy C. Reed <reed@reedmedia.net>
List: current-users
Date: 01/18/2001 18:37:08

This is some notes from some research. I still need to send-pr these if
applicable. This is 1.5.1_ALPHA (i386).

Seg faults with 99999-character long argument.

/usr/bin/telnet
Program received signal SIGSEGV, Segmentation fault.
0x482032a6 in strcpy ()
#0  0x482032a6 in strcpy ()
#1  0x805a6a0 in dst_realm_sz ()
#2  0x804da2c in telnet_spin ()
#3  0x804a2e5 in encrypt_end ()

/usr/bin/tn3270
Program received signal SIGSEGV, Segmentation fault.
0x480f42a6 in strcpy ()
#0  0x480f42a6 in strcpy ()
#1  0x8067c00 in VB ()
#2  0x8051574 in dladdr ()
#3  0x8049f9d in getsockname ()

Then rebuilt it with "-g" debugging.
(By the way: what is the official NetBSD way of turing this on??)

#0  0x480f42a6 in strcpy ()
#1  0x8067be0 in _hostname ()
#2  0x8051574 in main (argc=1, argv=0xbfbe5528)
    at /usr/src/usr.bin/tn3270/tn3270/../../telnet/main.c:356
#3  0x8049f9d in ___start ()

I am not sure how to read this, but telnet/main.c has:

#if defined(TN3270) && defined(unix)
                        transcom = tline;
                        (void)strcpy(transcom, optarg);
#else 

   Jeremy C. Reed
   http://www.reedmedia.net/