telnet: Prevent buffer overflow in the user prompt for SRA
ClosedPublic
Actions

Authored by jhb on Apr 15 2025, 12:21 AM.

Details

Reviewers

Commits

rGeef4e44a41e4: telnet: Prevent buffer overflow in the user prompt for SRA
rG7485e6a867ab: telnet: Prevent buffer overflow in the user prompt for SRA
rG5737c2ae06e1: telnet: Prevent buffer overflow in the user prompt for SRA

Summary

The Secure RPC authenticator for telnet prompts the local user for the
username to use for authentication. Previously it was using sprintf()
into a buffer of 256 bytes, but the username received over the wire
can be up to 255 bytes long which would overflow the prompt buffer.
Fix this in two ways: First, use snprintf() and check for overflow.
If the prompt buffer overflows, fail authentication without prompting
the user. Second, add 10 bytes to the buffer size to account for the
overhead of the prompt so that a maximally sized username fits.

While here, replace a bare 255 in the subsequent telnet_gets call with
an expression using sizeof() the relevant buffer.

PR: 270263
Reported by: Robert Morris <rtm@lcs.mit.edu>
Tested on: CHERI

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

jhb created this revision.Apr 15 2025, 12:21 AM

Herald added a subscriber: imp. · View Herald TranscriptApr 15 2025, 12:21 AM

jhb requested review of this revision.Apr 15 2025, 12:21 AM

Harbormaster completed remote builds in B63516: Diff 153664.Apr 15 2025, 12:21 AM

If the prompt buffer overflows, fail authentication without prompting the user.

$ USER=$(printf "%266s" | tr " " a) telnet localhost
Trying ::1...
Connected to localhost.
Escape character is '^]'.
Trying SRA secure login:

contrib/telnet/libtelnet/sra.c

244–245

Shouldn't it be + 9 here?

$ USER=$(printf "%256s" | tr " " a) telnet localhost
Trying ::1...
Connected to localhost.
Escape character is '^]'.
Trying SRA secure login:
User (aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa):

In D49832#1136272, @jlduran wrote:
If the prompt buffer overflows, fail authentication without prompting the user.
$ USER=$(printf "%266s" | tr " " a) telnet localhost
Trying ::1...
Connected to localhost.
Escape character is '^]'.
Trying SRA secure login:

Sorry, this general comment should have been erased, it is another (different issue):

$ USER=$(printf "%266s" | tr " " a) telnet
telnet> toggle authdebug
auth debugging enabled
telnet> open localhost
Trying ::1...
Connected to localhost.
Escape character is '^]'.
>>>TELNET: I support auth type 2 2
>>>TELNET: I support auth type 2 0
>>>TELNET: I support auth type 6 0
>>>TELNET: auth_send got: 06 00
>>>TELNET: He supports 6
>>>TELNET: Trying 6 0
Sent PKA to server.
Trying SRA secure login:
>>>IS:0: [0] (48) 63 32 30 30 63 65 32 61 34 36 32 34 65 30 36 32
>>>TELNET: Using type 6
SRA user name too long