[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TFTP client crash seems to be caused by missing bounds check in make

From: Erik Auerswald
Subject: Re: TFTP client crash seems to be caused by missing bounds check in makeargv()
Date: Wed, 7 Sep 2022 18:47:59 +0200

Hi Simon,

On Tue, Sep 06, 2022 at 08:05:04PM +0200, Simon Josefsson wrote:
> Erik Auerswald <auerswal@unix-ag.uni-kl.de> writes:
> > On 04.09.22 17:34, Erik Auerswald wrote:
> >> On 03.09.22 19:07, Erik Auerswald wrote:
> >>> On Sat, Sep 03, 2022 at 05:39:45PM +0200, Simon Josefsson wrote:
> >>>> [...]
> >>>> did you notice some fuzzing report that wasn't fixed?
> >>> [...]
> >>> * Problems found in tftp (the code did not change since the report):
> >>>
> >>>    * Untrusted Pointer Dereference in getcmd() at
> >>> inetutils/src/tftp.c:878
> >>>      
> >>> https://lists.gnu.org/archive/html/bug-inetutils/2021-12/msg00018.html
> >> That seems to be a missing bounds check in makeargv(), similar
> >> to the old, now fixed, code in telnet.
> >> I'll look into creating a nice reproducer instead of the one
> >> found by the fuzzer, adding a test case, and fixing the bug.
> >
> > That is harder than expected….  Is there a reason *not* to use
> > the crash input found by the fuzzer in a test for GNU Inetutils?
> More testing would be great!

I expect to find the time to finalize this during the coming weekend.
I intend to use perl to write the fuzzer-generated test input provided
by AiDai into the tftp client, similar to the telnet tests you have
added for the respective crash bugs.

After adding the test case I intend to commit the attached patch for tftp.

What do you think?


Attachment: 0001-tftp-ignore-excess-arguments.patch
Description: Text Data

reply via email to

[Prev in Thread] Current Thread [Next in Thread]