1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
From 6a2c3aa5c4ca5f09bdb6fdb28d9d369432506f3f Mon Sep 17 00:00:00 2001
From: Collin Funk <collin.funk1@gmail.com>
Date: Wed, 11 Mar 2026 23:06:46 -0700
Subject: [PATCH 5/5] telnetd: fix stack buffer overflow processing SLC
suboption triplets
Previously a client could write past the end of an internal buffer using
an SLC suboption with many triplets using function octets greater than
18, possibly leading to remote code execution. Reported by Adiel Sol,
Arad Inbar, Erez Cohen, Nir Somech, Ben Grinberg, Daniel Lubel at DREAM
Security Research Team at:
<https://lists.gnu.org/r/bug-inetutils/2026-03/msg00031.html>.
* telnetd/slc.c (add_slc): Return early if writing the tuple would lead
us to writing past the end of the buffer.
Fixes: CVE-2026-32746
Origin: upstream, commit:95751794e3da2eebd605238ddbff2232b68edb5f
Forwarded: not-needed
---
telnetd/slc.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/telnetd/slc.c b/telnetd/slc.c
index 9b5cadd0..e87a5a96 100644
--- a/telnetd/slc.c
+++ b/telnetd/slc.c
@@ -162,6 +162,9 @@ get_slc_defaults (void)
void
add_slc (char func, char flag, cc_t val)
{
+ /* Do nothing if the entire triplet cannot fit in the buffer. */
+ if (slcbuf + sizeof slcbuf - slcptr <= 6)
+ return;
if ((*slcptr++ = (unsigned char) func) == 0xff)
*slcptr++ = 0xff;
--
2.53.0
|
