mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-06-14 17:59:59 +00:00
Julius Hemanth Pitti
b4be735fdb
netoprintf() was not handling a case where
return value of vsnprintf is greater than
"size"(2nd argument), results in buffer overflow
while adjusting "nfrontp" pointer to point
beyond "netobuf" buffer.
Here is one such case where "nfrontp"
crossed boundaries of "netobuf", and
pointing to another global variable.
(gdb) p &netobuf[8255]
$5 = 0x55c93afe8b1f <netobuf+8255> ""
(gdb) p nfrontp
$6 = 0x55c93afe8c20 <terminaltype> "\377"
(gdb) p &terminaltype
$7 = (char **) 0x55c93afe8c20 <terminaltype>
(gdb)
This resulted in crash of telnetd service
with segmentation fault.
Signed-off-by: Julius Hemanth Pitti <jpitti@cisco.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 232b82afd4)
[appears to be CVE-2020-10188]
Signed-off-by: Armin Kuster <akuster808@gmail.com>