oss-sec mailing list archives
Re: Remote Pre-Auth Buffer Overflow in GNU Inetutils telnetd (LINEMODE SLC)
From: Paul Eggert <eggert () cs ucla edu>
Date: Thu, 12 Mar 2026 15:48:12 -0700
On 2026-03-12 13:57, Collin Funk wrote:
Solar Designer <solar () openwall com> writes:.../* Do nothing if the entire triplet cannot fit in the buffer. */ if (slcbuf + sizeof slcbuf <= slcptr + 6) return; In "slcptr + 6", it appears to rely on pointer math working outside of the object, but that's UB in C.
That's right.
CC'ing bug-gnulib. Do we make any assumptions about this behavior in Gnulib?
No, we follow C's rules in this respect. Pointers can't point outside the addressed object (except that that they can point to the very next byte and this exceptional pointer cannot be dereferenced).
A proper check may be: if (slcbuf + sizeof slcbuf - 6 <= slcptr)
That assumes that sizeof slcbuf is at least 6. Although that may be true here, a safer idiom in general is:
if (slcbuf + sizeof slcbuf - slcptr <= 6)This cannot overflow, if slcptr points within the buffer and the buffer size does not exceed PTRDIFF_MAX (which is a safe assumption at least with GNU malloc-allocated buffers).
Current thread:
- Remote Pre-Auth Buffer Overflow in GNU Inetutils telnetd (LINEMODE SLC) Justin Swartz (Mar 12)
- Re: Remote Pre-Auth Buffer Overflow in GNU Inetutils telnetd (LINEMODE SLC) Solar Designer (Mar 12)
- Re: Remote Pre-Auth Buffer Overflow in GNU Inetutils telnetd (LINEMODE SLC) Collin Funk (Mar 12)
- Re: Remote Pre-Auth Buffer Overflow in GNU Inetutils telnetd (LINEMODE SLC) Paul Eggert (Mar 12)
- Re: Remote Pre-Auth Buffer Overflow in GNU Inetutils telnetd (LINEMODE SLC) Collin Funk (Mar 12)
- Re: Remote Pre-Auth Buffer Overflow in GNU Inetutils telnetd (LINEMODE SLC) Solar Designer (Mar 12)
- Re: Remote Pre-Auth Buffer Overflow in GNU Inetutils telnetd (LINEMODE SLC) Collin Funk (Mar 13)
- Re: Remote Pre-Auth Buffer Overflow in GNU Inetutils telnetd (LINEMODE SLC) Solar Designer (Mar 12)
