Commit Graph

153 Commits

Author SHA1 Message Date
Gleb Smirnoff
f5c44977ff When telnetd(8) composes argument list for login(1), an unexpected sequence
of memory allocation failures combined with insufficient error checking
could result in the construction and execution of an argument sequence that
was not intended.

Fix that treating malloc(3) failures as fatal condition.

Submitted by:	brooks
Security:	FreeBSD-SA-16:36.telnetd
2016-12-06 18:50:22 +00:00
Dimitry Andric
866616de6e Fix warnings in telnet about invalid constant conversions, e.g.:
contrib/telnet/telnet/commands.c:2914:13: error: implicit conversion
from 'int' to 'char' changes value from 137 to -119
[-Werror,-Wconstant-conversion]
                *lsrp++ = IPOPT_SSRR;
                        ~ ^~~~~~~~~~
/usr/include/netinet/ip.h:152:21: note: expanded from macro 'IPOPT_SSRR'
#define IPOPT_SSRR              137             /* strict source route */
                                ^~~
contrib/telnet/telnet/commands.c:2916:13: error: implicit conversion
from 'int' to 'char' changes value from 131 to -125
[-Werror,-Wconstant-conversion]
                *lsrp++ = IPOPT_LSRR;
                        ~ ^~~~~~~~~~
/usr/include/netinet/ip.h:148:21: note: expanded from macro 'IPOPT_LSRR'
#define IPOPT_LSRR              131             /* loose source route */
                                ^~~

Use unsigned char buffers instead.

MFC after:	1 week
2016-08-30 20:27:22 +00:00
Dimitry Andric
c43262580d Squelch clang 3.9.0 warnings about BASE (which is 32768) being converted
to -32768 when it is used as an argument to mp_itom(), in both libtelnet
and newkey.  This code has been wrong since r26238 (!), so after almost
20 years it is rather useless to try to correct it.

MFC after:	1 week
2016-08-30 19:02:15 +00:00
Enji Cooper
ad11def521 Add baud rate support to telnet(1)
This implements part of RFC-2217

It's based off a patch originally written by Sujal Patel at Isilon, and
contributions from other Isilon employees.

PR: 173728
Phabric: D995
Reviewed by: markj, markm
MFC after: 2 weeks
Sponsored by: EMC / Isilon Storage Division
2014-11-11 04:06:05 +00:00
Marcel Moolenaar
6df39cc949 Improve upon previous commit:
1.  Check return of mmap(2) (*)
2.  Avoid FD leak when fstat fails.
3.  Fix style(9).

(*) Pointed out by jmg@
2014-03-02 03:34:06 +00:00
Marcel Moolenaar
8c82820bc3 Revive support for /etc/issue, lost due revision 81963.
Obtained from:	Juniper Networks, Inc.
2014-03-02 00:47:47 +00:00
Simon J. Gerraty
1a02b48ede Propagate ancient fix from Junos.
Use of -h is not supposed to depend on AUTHENTICATION being defined.

Reviewed by: markm
2013-11-07 00:36:39 +00:00
Marcel Moolenaar
f2e6a017d5 Fix "automatic" login, broken by revision 69825 (12 years, 5 months ago).
The "automatic" login feature is described as follows:
The USER environment variable holds the name of the person telnetting in.
This is the username of the person on the client machine. The traditional
behaviour is to execute login(1) with this username first, meaning that
login(1) will prompt for the password only. If login fails, login(1) will
retry, but now prompt for the username before prompting for the password.

This feature got broken by how the environment got scrubbed. Before the
change in r69825 we removed variables that we deemed dangerous. Starting
with r69825 we only keep those variable we know to be safe.

The USER environment variable fell through the cracks. It suddenly got
scrubbed (i.e. removed from the environment) while still being checked
for. It also got explicitly removed from the environment to handle the
failed login case.

The fix is to obtain the value of the USER environment variable before
we scrub the environment and used the "cached" in subsequent checks.
This guarantees that the environment does not contain the USER variable
in the end, while still being able to implement "automatic" login.

Obtained from:	Juniper Networks, Inc.
2013-05-31 17:30:12 +00:00
Kevin Lo
ba670ce023 Make sure that each va_start has one and only one matching va_end,
especially in error cases.
2012-09-28 07:51:30 +00:00
Joel Dahl
5febe54f25 Remove superfluous paragraph macro. 2012-06-17 11:04:38 +00:00
Stanislav Sedov
3ef51c5fb9 - Do not use deprecated krb5 error message reporting functions in libtelnet. 2012-04-06 00:03:45 +00:00
Colin Percival
3e65b9c6e6 Fix a problem whereby a corrupt DNS record can cause named to crash. [11:06]
Add an API for alerting internal libc routines to the presence of
"unsafe" paths post-chroot, and use it in ftpd. [11:07]

Fix a buffer overflow in telnetd. [11:08]

Make pam_ssh ignore unpassphrased keys unless the "nullok" option is
specified. [11:09]

Add sanity checking of service names in pam_start. [11:10]

Approved by:    so (cperciva)
Approved by:    re (bz)
Security:       FreeBSD-SA-11:06.bind
Security:       FreeBSD-SA-11:07.chroot
Security:       FreeBSD-SA-11:08.telnetd
Security:       FreeBSD-SA-11:09.pam_ssh
Security:       FreeBSD-SA-11:10.pam
2011-12-23 15:00:37 +00:00
Dimitry Andric
e9db6b2474 In contrib/telnet/telnet/utilities.c, fix a few warnings about format
strings not being literals.

MFC after:	1 week
2011-12-17 18:18:36 +00:00
Dimitry Andric
1f8811efbc In contrib/telnet/telnetd/utility.c, fix a few warnings about format
strings not being literals.

MFC after:	1 week
2011-12-16 16:53:54 +00:00
Dimitry Andric
675be9115a In contrib/telnet/libtelnet/sra.c, use the correct number of bytes to
zero the password buffer.

MFC after:	1 week
2011-12-16 00:48:53 +00:00
Jilles Tjoelker
524461f158 telnet: Fix infinite loop if local output generates SIGPIPE.
Instead of catching SIGPIPE and jumping out of the signal handler with
longjmp, ignore it and handle write errors to the local output by exiting
from there. I have changed the error message to mention the local output
instead of NetBSD's wrong "Connection closed by foreign host". Write errors
to the network were already handled by exiting immediately and this now
applies to EPIPE too.

The code assumed that SIGPIPE could only be generated by the network
connection; if it was generated by the local output, it would longjmp out of
the signal handler and write an error message which caused another SIGPIPE.

PR:		19773
Obtained from:	NetBSD
MFC after:	1 week
2010-04-30 19:52:35 +00:00
Ed Schouten
c36be85f01 Forgot a part that was missing in the previous commit.
There is no need to call trimdomain() anymore now that ut_host is big
enough to fit decent hostnames.
2010-01-13 18:46:50 +00:00
Ed Schouten
c2fd39cb4d Let telnetd build without utmp and logwtmp(3).
Just like rlogind, there is no need to change the ownership of the
terminal during shutdown anymore. Also don't call logwtmp, because the
login(1)/PAM is responsible for doing this. Also use SHUT_RDWR instead
of 2.
2010-01-13 18:37:42 +00:00
Ed Schouten
cea2194d9c Remove unneeded inclusion of <utmp.h> and dead variables. 2009-12-27 11:56:32 +00:00
Ed Schouten
ea74c11fae Use <termios.h> instead of <sys/termios.h>.
<sys/termios.h> only works on FreeBSD by accident.
2009-11-28 11:57:25 +00:00
Ed Schouten
b3aaa0cc21 Rename all symbols in libmp(3) to mp_*, just like Solaris.
The function pow() in libmp(3) clashes with pow(3) in libm. We could
rename this single function, but we can just take the same approach as
the Solaris folks did, which is to prefix all function names with mp_.

libmp(3) isn't really popular nowadays. I suspect not a single
application in ports depends on it. There's still a chance, so I've
increased the SHLIB_MAJOR and __FreeBSD_version.

Reviewed by:	deischen, rdivacky
2009-02-26 21:43:15 +00:00
Colin Percival
3a5733c67b Correctly scrub telnetd's environment.
Approved by:	so (cperciva)
Security:	FreeBSD-SA-09:05.telnetd
2009-02-16 21:56:17 +00:00
Ed Schouten
279d93aa23 Use strlcpy() instead of strcpy().
Requested by:	mlaier
2008-11-13 20:40:38 +00:00
Ed Schouten
225c0f4b44 Convert telnetd(8) to use posix_openpt(2).
Some time ago I got some reports MPSAFE TTY broke telnetd(8). Even
though it turned out to be a different problem within the TTY code, I
spotted a small issue with telnetd(8). Instead of allocating PTY's using
openpty(3) or posix_openpt(2), it used its own PTY allocation routine.
This means that telnetd(8) still uses /dev/ptyXX-style devices.

I've also increased the size of line[]. Even though 16 should be enough,
we already use 13 bytes ("/dev/pts/999", including '\0'). 32 bytes gives
us a little more freedom.

Also enable -DSTREAMSPTY. Otherwise telnetd(8) strips the PTY's pathname
to the latest slash instead of just removing "/dev/" (e.g. /dev/pts/0 ->
0, instead of pts/0).

Reviewed by:	rink
2008-11-13 19:05:27 +00:00
Antoine Brodin
d676c049d7 Fix TELOPT(opt) when opt > TELOPT_TN3270E.
PR:		127194
Submitted by:	Joost Bekkers
MFC after:	1 month
2008-09-13 17:46:50 +00:00
Tom Rhodes
074d0d4c1d List authentication types supported with "-X" taken from the libtelnet
code.

PR:		121721
2008-08-29 00:04:37 +00:00
John Baldwin
2e38385526 Don't attempt authentication at all if it has been disabled via '-a off'.
This works around a bug in HP-UX's telnet client and also gives a much
saner user experience when using FreeBSD's telnet client.

PR:		bin/19405
Submitted by:	Joel Ray Holveck   joelh of gnu.org
MFC after:	1 month
2008-07-28 18:58:16 +00:00
George V. Neville-Neil
8409aedfa6 Commit IPv6 support for FAST_IPSEC to the tree.
This commit includes all remaining changes for the time being including
user space updates.

Submitted by:    bz
Approved by:    re
2007-07-01 12:08:08 +00:00
Ruslan Ermilov
a903458081 Markup nits. 2006-09-29 22:51:29 +00:00
Ruslan Ermilov
eb0fa6f5d7 Remove bogus casts of valid integer ioctl() arguments. 2006-09-26 21:46:12 +00:00
Maxim Konovalov
7585818828 o Mention .telnetrc DEFAULT keyword.
PR:		bin/100496 (sort of)
Obtained from:	NetBSD, heas@netbsd
MFC after:	3 weeks
2006-09-18 15:03:18 +00:00
Hajimu UMEMOTO
10cb8fdace NI_WITHSCOPEID cleanup 2005-05-21 15:28:42 +00:00
Jacques Vidrine
14aab889f4 Correct a pair of buffer overflows in the telnet(1) command:
(CAN-2005-0468) A heap buffer overflow in env_opt_add() and related
 functions.

 (CAN-2005-0469) A global uninitialized data section buffer overflow in
 slc_add_reply() and related functions.

As a result of these vulnerabilities, it may be possible for a malicious
telnet server or active network attacker to cause telnet(1) to execute
arbitrary code with the privileges of the user running it.

Security: CAN-2005-0468, CAN-2005-0469
Security: FreeBSD-SA-05:01.telnet
Security: http://www.idefense.com/application/poi/display?id=220&type=vulnerabilities
Security: http://www.idefense.com/application/poi/display?id=221&type=vulnerabilities

These fixes are based in part on patches
Submitted by:	Solar Designer <solar@openwall.com>
2005-03-28 14:45:12 +00:00
Anton Berezin
3a44a4c33e Increase usefulness of telnet(1) as a protocol tester. By prepending
"+" to the port number, disable option negotiation and allow
transferring of data with high bit set.

OKed by:	markm (maintainer)
PR:		52032
Submitted by:	Valentin Nechayev <netch maybe-at netch stop kiev stop ua>
MFC After:	2 weeks
2005-02-28 12:46:53 +00:00
Ruslan Ermilov
a5947c18a8 - Soften sentence breaks.
- Remove double whitespace.
- Sort sections.
2005-01-21 21:57:05 +00:00
Maxim Konovalov
de93353dad o Make telnet[d] -S (IP TOS) flag really work. We do not have
/etc/iptos implementation so only numeric values supported.

o telnetd.8: steal the -S flag description from telnet.1, bump
the date of the document.

MFC after:	6 weeks
2005-01-09 10:24:46 +00:00
Maxim Konovalov
913fffe21a o Add -4 and -6 flags to a man page and usage(). Bump the man page
date.
2005-01-05 09:59:38 +00:00
Maxim Konovalov
ab90852ba3 o Remove -t flag from getopt(3), it was killed in rev. 1.15 three
years ago.
2005-01-05 09:47:10 +00:00
Maxim Konovalov
0d4cc5f650 o Print a correct status for unix domain sockets.
o Restore input mode when return from the command one.

PR:			bin/49983
Submitted by:		Volker Stolz
OK in general from:	markm
MFC after:		1 month
2005-01-04 21:22:32 +00:00
Alexander Kabaev
14046059e1 Add missing () to function invocation. 2004-07-28 05:37:18 +00:00
Hajimu UMEMOTO
f95d46333d Switch Advanced Sockets API for IPv6 from RFC2292 to RFC3542
(aka RFC2292bis).  Though I believe this commit doesn't break
backward compatibility againt existing binaries, it breaks
backward compatibility of API.
Now, the applications which use Advanced Sockets API such as
telnet, ping6, mld6query and traceroute6 use RFC3542 API.

Obtained from:	KAME
2003-10-24 18:26:30 +00:00
Hajimu UMEMOTO
37b3e94167 EAI_ADDRFAMILY and EAI_NODATA was deprecated in RFC3493
(aka RFC2553bis).  Now, getaddrinfo(3) returns EAI_NONAME
instead of EAI_NODATA.  Our getaddrinfo(3) nor getnameinfo(3)
didn't use EAI_ADDRFAMILY.

Obtained from:	KAME
2003-10-23 13:55:36 +00:00
Hartmut Brandt
c7d4f4371f Implement what has been documented for a long time: make -debug switch
on socket debugging.

Okay'ed by: markm
2003-08-13 10:56:40 +00:00
Mark Murray
074e8e8ee9 Fix up external variables named "debug" that have a horrible habit
of conflicting with other, similarly named functions in static
libraries. This is done mostly by renaming the var if it is shared
amongst modules, or making it static otherwise.

OK'ed by:	re(scottl)
2003-05-11 18:17:00 +00:00
David E. O'Brien
77b7cdf199 Use __FBSDID vs. rcsid[]. Also protect sccs[] and copyright[] from GCC 3.3. 2003-05-04 02:54:49 +00:00
Jacques Vidrine
81d1ffee08 Unbreak Kerberos 5 authentication in telnet.
(Credential forwarding is still broken.)

PR:	bin/45397
2003-03-06 13:41:53 +00:00
Jacques Vidrine
4b2eaea43f Background:
When libdes was replaced with OpenSSL's libcrypto, there were a few
 interfaces that the former implemented but the latter did not.  Because
 some software in the base system still depended upon these interfaces,
 we simply included them in our libcrypto (rnd_keys.c).

Now, finally get around to removing the dependencies on these
interfaces.  There were basically two cases:

  des_new_random_key -- This is just a wrapper for des_random_key, and
     these calls were replaced.

  des_init_random_number_generator et. al. -- A few functions were used
     by the application to seed libdes's PRNG.  These are not necessary
     when using libcrypto, as OpenSSL internally seeds the PRNG from
     /dev/random.  These calls were simply removed.

Again, some of the Kerberos 4 files have been taken off the vendor
branch.  I do not expect there to be future imports of KTH Kerberos 4.
2003-01-29 18:14:29 +00:00
Bill Fumerola
a3bb66de04 add more RFC defined telnet options
Reviewed by:	ps
2003-01-18 06:10:21 +00:00
Eric Melville
0d16d02150 Merge argument parsing changes into this copy of telnet.
Submitted by:	markm
Approved by:	bmah
2002-11-27 06:34:24 +00:00
Dima Dorfman
ba0f77df7a Permit the argument to the -s option to be a hostname. I see no
reason to restrict this to a numeric address.

PR:		41841
Submitted by:	Dmitry Pryanishnikov <dmitry@atlantis.dp.ua>,
		Maxim Maximov <mcsi@agava.com>
2002-10-02 00:27:14 +00:00