aboutsummaryrefslogtreecommitdiffstats
path: root/meta-networking/recipes-netkit/netkit-telnet/files/CVE-2020-10188.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta-networking/recipes-netkit/netkit-telnet/files/CVE-2020-10188.patch')
-rw-r--r--meta-networking/recipes-netkit/netkit-telnet/files/CVE-2020-10188.patch112
1 files changed, 0 insertions, 112 deletions
diff --git a/meta-networking/recipes-netkit/netkit-telnet/files/CVE-2020-10188.patch b/meta-networking/recipes-netkit/netkit-telnet/files/CVE-2020-10188.patch
deleted file mode 100644
index d21c602746..0000000000
--- a/meta-networking/recipes-netkit/netkit-telnet/files/CVE-2020-10188.patch
+++ /dev/null
@@ -1,112 +0,0 @@
-From 6ab007dbb1958371abff2eaaad2b26da89b3c74e Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@windriver.com>
-Date: Fri, 24 Apr 2020 09:43:44 +0800
-Subject: [PATCH] telnetd/utility.c: fix CVE-2020-10188
-
-Upstream-Status: Backport
-[Fedora: https://src.fedoraproject.org/rpms/telnet/raw/master/f/telnet-0.17-overflow-exploit.patch]
-
-CVE: CVE-2020-10188
-
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
----
- telnetd/utility.c | 32 +++++++++++++++++++++-----------
- 1 file changed, 21 insertions(+), 11 deletions(-)
-
-diff --git a/telnetd/utility.c b/telnetd/utility.c
-index 75314cb..b9a46a6 100644
---- a/telnetd/utility.c
-+++ b/telnetd/utility.c
-@@ -169,31 +169,38 @@ void ptyflush(void)
- */
- static
- char *
--nextitem(char *current)
-+nextitem(char *current, const char *endp)
- {
-+ if (current >= endp) {
-+ return NULL;
-+ }
- if ((*current&0xff) != IAC) {
- return current+1;
- }
-+ if (current+1 >= endp) {
-+ return NULL;
-+ }
- switch (*(current+1)&0xff) {
- case DO:
- case DONT:
- case WILL:
- case WONT:
-- return current+3;
-+ return current+3 <= endp ? current+3 : NULL;
- case SB: /* loop forever looking for the SE */
- {
- register char *look = current+2;
-
-- for (;;) {
-+ while (look < endp) {
- if ((*look++&0xff) == IAC) {
-- if ((*look++&0xff) == SE) {
-+ if (look < endp && (*look++&0xff) == SE) {
- return look;
- }
- }
- }
-+ return NULL;
- }
- default:
-- return current+2;
-+ return current+2 <= endp ? current+2 : NULL;
- }
- } /* end of nextitem */
-
-@@ -219,7 +226,7 @@ void netclear(void)
- register char *thisitem, *next;
- char *good;
- #define wewant(p) ((nfrontp > p) && ((*p&0xff) == IAC) && \
-- ((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL))
-+ (nfrontp > p+1 && (((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL))))
-
- #if defined(ENCRYPT)
- thisitem = nclearto > netobuf ? nclearto : netobuf;
-@@ -227,7 +234,7 @@ void netclear(void)
- thisitem = netobuf;
- #endif
-
-- while ((next = nextitem(thisitem)) <= nbackp) {
-+ while ((next = nextitem(thisitem, nbackp)) != NULL && next <= nbackp) {
- thisitem = next;
- }
-
-@@ -239,20 +246,23 @@ void netclear(void)
- good = netobuf; /* where the good bytes go */
- #endif
-
-- while (nfrontp > thisitem) {
-+ while (thisitem != NULL && nfrontp > thisitem) {
- if (wewant(thisitem)) {
- int length;
-
- next = thisitem;
- do {
-- next = nextitem(next);
-- } while (wewant(next) && (nfrontp > next));
-+ next = nextitem(next, nfrontp);
-+ } while (next != NULL && wewant(next) && (nfrontp > next));
-+ if (next == NULL) {
-+ next = nfrontp;
-+ }
- length = next-thisitem;
- bcopy(thisitem, good, length);
- good += length;
- thisitem = next;
- } else {
-- thisitem = nextitem(thisitem);
-+ thisitem = nextitem(thisitem, nfrontp);
- }
- }
-
---
-2.7.4
-
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-05-04 08:46:33 +0000