Commit Graph

122 Commits

Author SHA1 Message Date
ume
ed819b8c09 NI_WITHSCOPEID cleanup 2005-05-21 15:28:42 +00:00
nectar
fc3b18bce3 Correct a pair of buffer overflows in the telnet(1) command:
(CAN-2005-0468) A heap buffer overflow in env_opt_add() and related
 functions.

 (CAN-2005-0469) A global uninitialized data section buffer overflow in
 slc_add_reply() and related functions.

As a result of these vulnerabilities, it may be possible for a malicious
telnet server or active network attacker to cause telnet(1) to execute
arbitrary code with the privileges of the user running it.

Security: CAN-2005-0468, CAN-2005-0469
Security: FreeBSD-SA-05:01.telnet
Security: http://www.idefense.com/application/poi/display?id=220&type=vulnerabilities
Security: http://www.idefense.com/application/poi/display?id=221&type=vulnerabilities

These fixes are based in part on patches
Submitted by:	Solar Designer <solar@openwall.com>
2005-03-28 14:45:12 +00:00
tobez
e89ea7ac96 Increase usefulness of telnet(1) as a protocol tester. By prepending
"+" to the port number, disable option negotiation and allow
transferring of data with high bit set.

OKed by:	markm (maintainer)
PR:		52032
Submitted by:	Valentin Nechayev <netch maybe-at netch stop kiev stop ua>
MFC After:	2 weeks
2005-02-28 12:46:53 +00:00
ru
0b29d18074 - Soften sentence breaks.
- Remove double whitespace.
- Sort sections.
2005-01-21 21:57:05 +00:00
maxim
ae5da6b5cf o Make telnet[d] -S (IP TOS) flag really work. We do not have
/etc/iptos implementation so only numeric values supported.

o telnetd.8: steal the -S flag description from telnet.1, bump
the date of the document.

MFC after:	6 weeks
2005-01-09 10:24:46 +00:00
maxim
a8c7614707 o Add -4 and -6 flags to a man page and usage(). Bump the man page
date.
2005-01-05 09:59:38 +00:00
maxim
8caa18168d o Remove -t flag from getopt(3), it was killed in rev. 1.15 three
years ago.
2005-01-05 09:47:10 +00:00
maxim
71b44528f9 o Print a correct status for unix domain sockets.
o Restore input mode when return from the command one.

PR:			bin/49983
Submitted by:		Volker Stolz
OK in general from:	markm
MFC after:		1 month
2005-01-04 21:22:32 +00:00
kan
6ecc85d1ea Add missing () to function invocation. 2004-07-28 05:37:18 +00:00
ume
881c4fa391 Switch Advanced Sockets API for IPv6 from RFC2292 to RFC3542
(aka RFC2292bis).  Though I believe this commit doesn't break
backward compatibility againt existing binaries, it breaks
backward compatibility of API.
Now, the applications which use Advanced Sockets API such as
telnet, ping6, mld6query and traceroute6 use RFC3542 API.

Obtained from:	KAME
2003-10-24 18:26:30 +00:00
ume
0bbe986bd7 EAI_ADDRFAMILY and EAI_NODATA was deprecated in RFC3493
(aka RFC2553bis).  Now, getaddrinfo(3) returns EAI_NONAME
instead of EAI_NODATA.  Our getaddrinfo(3) nor getnameinfo(3)
didn't use EAI_ADDRFAMILY.

Obtained from:	KAME
2003-10-23 13:55:36 +00:00
harti
b61072d987 Implement what has been documented for a long time: make -debug switch
on socket debugging.

Okay'ed by: markm
2003-08-13 10:56:40 +00:00
markm
141dcc06d3 Fix up external variables named "debug" that have a horrible habit
of conflicting with other, similarly named functions in static
libraries. This is done mostly by renaming the var if it is shared
amongst modules, or making it static otherwise.

OK'ed by:	re(scottl)
2003-05-11 18:17:00 +00:00
obrien
c3792f8bd9 Use __FBSDID vs. rcsid[]. Also protect sccs[] and copyright[] from GCC 3.3. 2003-05-04 02:54:49 +00:00
nectar
c4f823a8ba Unbreak Kerberos 5 authentication in telnet.
(Credential forwarding is still broken.)

PR:	bin/45397
2003-03-06 13:41:53 +00:00
nectar
637cc179f5 Background:
When libdes was replaced with OpenSSL's libcrypto, there were a few
 interfaces that the former implemented but the latter did not.  Because
 some software in the base system still depended upon these interfaces,
 we simply included them in our libcrypto (rnd_keys.c).

Now, finally get around to removing the dependencies on these
interfaces.  There were basically two cases:

  des_new_random_key -- This is just a wrapper for des_random_key, and
     these calls were replaced.

  des_init_random_number_generator et. al. -- A few functions were used
     by the application to seed libdes's PRNG.  These are not necessary
     when using libcrypto, as OpenSSL internally seeds the PRNG from
     /dev/random.  These calls were simply removed.

Again, some of the Kerberos 4 files have been taken off the vendor
branch.  I do not expect there to be future imports of KTH Kerberos 4.
2003-01-29 18:14:29 +00:00
billf
75d164a3d8 add more RFC defined telnet options
Reviewed by:	ps
2003-01-18 06:10:21 +00:00
eric
7153bb5d55 Merge argument parsing changes into this copy of telnet.
Submitted by:	markm
Approved by:	bmah
2002-11-27 06:34:24 +00:00
dd
f5801700f4 Permit the argument to the -s option to be a hostname. I see no
reason to restrict this to a numeric address.

PR:		41841
Submitted by:	Dmitry Pryanishnikov <dmitry@atlantis.dp.ua>,
		Maxim Maximov <mcsi@agava.com>
2002-10-02 00:27:14 +00:00
markm
7a2e60f0e3 Catch up with "base" telnet.
s/FALL THROUGH/FALLTHROUGH/ for lint(1).
2002-09-25 07:28:04 +00:00
markm
0ec9e3f996 Catch up with "base" telnet.
s/FALL THROUGH/FALLTHROUGH/ for lint(1).
s/Usage/usage/ for consistency.
2002-09-25 07:26:25 +00:00
markm
8466db9d92 From the requestor:
"Could you do me a favor and fix sys_bsd.c to get the howmany() macro
from <sys/param.h>, instead of <sys/types.h>?  This will save me from
having to worry about the unsync'd bits before making the change."

Requested by:	mike
2002-09-25 07:24:01 +00:00
nsayer
3781c72cd9 Encrypted strings (after hex decoding) aren't null terminated, because
0 might simply be part of the ciphertext.

PR:		bin/40266
Submitted by:	andr@dgap.mipt.ru
MFC after:	3 days
2002-08-22 06:19:07 +00:00
markm
741591a6b4 Warnings fixes. Sort out some variable types. 2002-06-26 17:06:14 +00:00
markm
d999cc9a29 Help fix warnings by marking an argument as unused. 2002-06-26 17:05:08 +00:00
jmallett
afc38d0730 Don't risk catching a signal while handling a signal for a dying child, as we
can then end up not properly clearing wtmp/utmp entries.

PR:		bin/37934
Submitted by:	Sandeep Kumar <skumar@juniper.net>
Reviewed by:	markm
MFC after:	2 weeks
2002-05-27 08:10:24 +00:00
alfred
ab796ae7fb unbreak build:
commands.c, sys_bsd.c: comment out/remove junk after #endif/#else
network.c, terminal.c, utlities.c: include stdlib.h for exit(3)
2002-05-11 03:19:44 +00:00
markm
452e85175e Fix an external declaration that was causing telnetd to core dump.
MFC after:	1 week
PR:		37766
2002-05-06 09:46:29 +00:00
nectar
63b64d9c11 Update build after import of Heimdal Kerberos 2002/02/17. 2002-02-19 15:53:33 +00:00
sheldonh
81cc5956d9 Don't use non-signal-safe functions (exit(3) in this case) in
signal handlers.  In this case, use _exit(2) instead, following
the call to shutdown(2).

This fixes rare telnetd hangs.

PR:		misc/33672
Submitted by:	Umesh Krishnaswamy <umesh@juniper.net>
MFC after:	1 month
2002-02-05 15:20:02 +00:00
ru
8c39ab0e40 mdoc(7) police: remove -r from SYNOPSIS, sort -p in DESCRIPTION. 2001-12-14 14:41:07 +00:00
jkh
fcc97a61ad Don't assume that the number of fds to select on is known quantity (in
this case 16).  Use dynamic FD_SETs and calculated high-water marks
throughout.  There are also too many versions of telnet in the tree.

Obtained from:  OpenBSD and Apple's Radar database
MFC after:      2 days
2001-12-09 09:53:27 +00:00
ru
dc891f7e3c Fixed bugs from previous revision.
Removed -s from SYNOPSIS and restored -S in DESCRIPTION.
2001-12-04 16:02:36 +00:00
jhay
06c2f4bca3 Protect variables and function prototypes that are only used in the INET6
case with an ifdef INET6.

This make the fixit floppy compile again.

Reviewed by:	markm
2001-12-03 17:42:02 +00:00
markm
c7155665d1 More help for alpha WARNS=2. This code is, erm, unusual. Anyone who
feels like rewriting it will meet no objection from me.
2001-12-03 12:16:40 +00:00
markm
7138baa87d help the alphas out with the WARNS=2 stuff. 2001-12-03 12:13:18 +00:00
markm
14227a41e2 Damn. The previous mega-commit was incomplete WRT ANSIfication. This
fixes that.
2001-11-30 22:28:07 +00:00
markm
19fd256fae Very large style makeover.
1) ANSIfy.
2) Clean up ifdefs so that
   a) ones that never/always apply are appropriately either
      fully removed, or just the #if junk is removed.
   b) change #if defined(FOO) for appropiate values of FOO.
      (currently AUTHENTICATION and ENCRYPTION)
3) WARNS=2 fixing
4) GC other unused stuff

This code can now be unifdef(1)ed to make non-crypto telnet.
2001-11-30 21:06:38 +00:00
jhb
1c9daba05c Fix world by trimming an extra comment terminator. 2001-10-29 19:22:38 +00:00
nsayer
267f5448c8 Add Berkeley copyright to SRA.
This is by the kind permission of Dave Safford, formerly of TAMU who wrote the
original code. Here is an excerpt of the e-mail exchange concerning this
issue:

Dave Safford wrote:
>Nick Sayer wrote:
>> Some time ago we spoke about SRA and importing it into FreeBSD. I forgot to
>> ask if you had a prefered license boilerplate for the top of the files. It
>> has come up recently, and the SRA code in FreeBSD doesn't have one.

>I really have no preference - use whatever is most convenient in the
>FreeBSD environment.

>dave safford

This is the standard BSD license with clause 3 removed and clause 4
suitably renumbered.

MFC after:	1 day
2001-10-29 16:12:16 +00:00
markm
4c52c72d92 Diff-reduce these two.
Really, one of them needs to disappear. I'll figure out which
later.

Reported by:	bde
2001-10-27 12:49:19 +00:00
markm
0163eae972 Add __FBSDID() to diff-reduce with "base" telnet. 2001-10-01 16:04:55 +00:00
markm
5987cca2b8 Manually unifdef(1) CRAY, UNICOS, hpux and sun uselsess code. 2001-08-29 14:16:17 +00:00
dd
2c3a92a16f Remove description of an option that only applies to UNICOS < 7.0.
That define may still be present in the source, but I don't think
anyone has plans to try to use it.

Obtained from:	NetBSD
2001-08-25 21:29:12 +00:00
markm
62fa01a04b Code merge and diff reduce with "base" telnet. This is the "later"
telnet, so it was treated as the reference code, except where later
commits were made to "base" telnet.
2001-08-20 12:28:40 +00:00
horikawa
679dd2c9f8 Removal of following export controll related sentences:
o Because of export controls, TELNET ENCRYPT option is not supported outside
  of the United States and Canada.
o Because of export controls, data encryption
  is not supported outside of the United States and Canada.

src/crypto/README revision 1.5 commit log says:
> Crypto sources are no longer export controlled:
> Explain, why crypto sources are still in crypto/.
and actually telnet encryption is used outside of US and Canada now.

Pointed out by: OHSAWA Chitoshi <ohsawa@catv1.ccn-net.ne.jp>
Reviewed by: no objection on doc
2001-08-15 01:30:25 +00:00
ru
24c7b0a61d mdoc(7) police: s/BSD/.Bx/ where appropriate. 2001-08-14 10:01:54 +00:00
kris
d051133293 output_data(), output_datalen() and netflush() didn't actually guarantee
to do what they are supposed to: under some circumstances output data would
be truncated, or the buffer would not actually be flushed (possibly leading
to overflows when the caller assumes the operation succeeded).  Change the
semantics so that these functions ensure they complete the operation before
returning.

Comment out diagnostic code enabled by '-D reports' which causes an
infinite recursion and an eventual crash.

Patch developed with assistance from ru and assar.
2001-07-23 21:52:26 +00:00
ru
4b023c5a9f More potential buffer overflow fixes.
o Fixed `nfrontp' calculations in output_data().  If `remaining' is
  initially zero, it was possible for `nfrontp' to be decremented.

Noticed by:	dillon

o Replaced leaking writenet() with output_datalen():

:  * writenet
:  *
:  * Just a handy little function to write a bit of raw data to the net.
:  * It will force a transmit of the buffer if necessary
:  *
:  * arguments
:  *    ptr - A pointer to a character string to write
:  *    len - How many bytes to write
:  */
: 	void
: writenet(ptr, len)
: 	register unsigned char *ptr;
: 	register int len;
: {
: 	/* flush buffer if no room for new data) */
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
: 	if ((&netobuf[BUFSIZ] - nfrontp) < len) {
: 		/* if this fails, don't worry, buffer is a little big */
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
: 		netflush();
: 	}
:
: 	memmove(nfrontp, ptr, len);
: 	nfrontp += len;
:
: }  /* end of writenet */

What an irony!  :-)

o Optimized output_datalen() a bit.
2001-07-20 12:02:30 +00:00
ru
5bfe15ad2f vsnprintf() can return a value larger than the buffer size.
Submitted by:	assar
Obtained from:	OpenBSD
2001-07-19 18:58:31 +00:00