Subject: bin/12004: telnet and tn3270 have buffer overflow
To: None <gnats-bugs@gnats.netbsd.org>
From: Jeremy C. Reed <reed@reedmedia.net>
List: netbsd-bugs
Date: 01/19/2001 17:39:20
>Number:         12004
>Category:       bin
>Synopsis:       tn3270 and telnet get Seg Fault when argument is long
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Jan 19 17:42:01 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     Jeremy C. Reed
>Release:        1.5.1_ALPHA
>Organization:
	
>Environment:
	
System: NetBSD rainier 1.5.1_ALPHA NetBSD 1.5.1_ALPHA (JCR-1.5-20010108) #0: Mon Jan 8 09:25:45 PST 2001 reed@rainier:/usr/src/sys/arch/i386/compile/JCR-1.5-20010108 i386


>Description:
 telnet and tn3270 get a segmentation fault from a bad strcpy in 
 telnet/commands.c.
 For further details look at:
 http://mail-index.netbsd.org/current-users/2001/01/18/0062.html
 http://mail-index.netbsd.org/current-users/2001/01/19/0007.html
>How-To-Repeat:
  Use a 99999-character command line argument.
>Fix:
I guess it should check if hostp is too long and then give a
friendly error.
Problem I believe is on line 2434.

Or something like:

(void) strncpy(_hostname, hostp, sizeof(_hostname));


>Release-Note:
>Audit-Trail:
>Unformatted: