Skip to content

telnet: use pointer[0] for "unknown" option instead of pointer[i] #18851

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
MegaManSec wants to merge 1 commit into from
Closed

telnet: use pointer[0] for "unknown" option instead of pointer[i] #18851

MegaManSec wants to merge 1 commit into from

Conversation

@MegaManSec
Copy link
Contributor

@MegaManSec MegaManSec commented Oct 5, 2025

i is taken from pointer[length-2] (often the IAC byte) before we do length -= 2, so using pointer[i] indexes an arbitrary/stale byte unrelated to the option code. pointer[0] is the suboption’s option code per the telnet SB format, so printing pointer[0] yields correct, stable diagnostics.

@MegaManSec
telnet: use pointer[0] for "unknown" option instead of pointer[i]
7273976 
i is taken from pointer[length-2] (often the IAC byte) before we do length -= 2,
so using pointer[i] indexes an arbitrary/stale byte unrelated to the option code.
pointer[0] is the suboption’s option code per the telnet SB
format, so printing pointer[0] yields correct, stable diagnostics.
@MegaManSec
Copy link
Contributor Author

MegaManSec commented Oct 5, 2025

Note: An initial analysis showed this may actually patch an OOB read, but I think that isn't possible.

@bagder bagder closed this in eb88092 Oct 5, 2025
@bagder
Copy link
Member

bagder commented Oct 5, 2025

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bagder bagder bagder approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MegaManSec @bagder