commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Archie Cobbs (JIRA)" <j...@apache.org>
Subject [jira] Created: (NET-345) Telnet client: not properly handling IAC bytes within subnegotiation messages
Date Fri, 19 Nov 2010 22:54:13 GMT
Telnet client: not properly handling IAC bytes within subnegotiation messages
-----------------------------------------------------------------------------

                 Key: NET-345
                 URL: https://issues.apache.org/jira/browse/NET-345
             Project: Commons Net
          Issue Type: Bug
          Components: Telnet
    Affects Versions: 2.0
            Reporter: Archie Cobbs
         Attachments: patch3.txt

Subnegotiation messages in telnet are sent using the sequence {{IAC SB ... IAC SE}}.

Although it's not clearly spelled out in [RFC 854|http://tools.ietf.org/html/rfc854], any
{{IAC}} ({{0xff}}) bytes inside these messages must be escaped by doubling. Other clients
do this and this is the only behavior that makes sense.

The commons-net telnet client is failing both to escape and to unescape {{IAC}} bytes within
subnegotiation messages. Moreover, if it does receive a valid {{IAC IAC}} sequence within
a subnegotiation message, it will incorrectly jump back to "data" input mode, discarding the
message and introducing its remainder as garbage in the data stream.

In addition, the code fails to check for an overflow of the subnegotiation buffer, which would
cause an {{ArrayIndexOutOfBounds}} exception if a malicious peer triggered this condition.

Finally, a {{IAC SE}} sequence appearing by itself should probably be discarded, rather than
passing as a command to the handler.

I'm attaching a patch to fix these issues.


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message