Re: Telnetd Vulnerability Report

[Solar Designer <solar () openwall com>]

On Sun, Mar 08, 2026 at 11:41:47AM +0200, Justin Swartz wrote:
> On 2026-03-08 10:05, Solar Designer wrote:
> > On Sun, Mar 08, 2026 at 09:34:22AM +0200, Justin Swartz wrote:
> > > +is_env_var_allowed (const char *var, const char *val)
> > > +{
> > > +  const char * const *p;
> >
> > This second const here looks wrong as you're changing the value of this
> > pointer.  I suggested this syntax only for the array, where you used it
> > correctly.
>
> That pointer isn't constant.

Oh, you're right, I was wrong.  It's a non-const pointer to a const
pointer to a const string.  Which is what we need here.

It's still uncommon in projects to const'ify string arrays like that,
but I think we should start doing that more.  So I hope this little
digression we had is helpful beyond these telnetd patches.

Thank you for posting the tests.

Alexander