Return-Path: Delivered-To: apmail-commons-issues-archive@minotaur.apache.org Received: (qmail 17400 invoked from network); 3 Mar 2011 01:45:00 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 3 Mar 2011 01:45:00 -0000 Received: (qmail 97570 invoked by uid 500); 3 Mar 2011 01:44:58 -0000 Delivered-To: apmail-commons-issues-archive@commons.apache.org Received: (qmail 97499 invoked by uid 500); 3 Mar 2011 01:44:58 -0000 Mailing-List: contact issues-help@commons.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: issues@commons.apache.org Delivered-To: mailing list issues@commons.apache.org Received: (qmail 97491 invoked by uid 99); 3 Mar 2011 01:44:58 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 03 Mar 2011 01:44:58 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED,T_RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.116] (HELO hel.zones.apache.org) (140.211.11.116) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 03 Mar 2011 01:44:57 +0000 Received: from hel.zones.apache.org (hel.zones.apache.org [140.211.11.116]) by hel.zones.apache.org (Postfix) with ESMTP id EEDCA4C323 for ; Thu, 3 Mar 2011 01:44:36 +0000 (UTC) Date: Thu, 3 Mar 2011 01:44:36 +0000 (UTC) From: "Sebb (JIRA)" To: issues@commons.apache.org Message-ID: <207517963.9836.1299116676975.JavaMail.tomcat@hel.zones.apache.org> In-Reply-To: <3438955.209961290207253956.JavaMail.jira@thor> Subject: [jira] Updated: (NET-345) Telnet client: not properly handling IAC bytes within subnegotiation messages MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/NET-345?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sebb updated NET-345: --------------------- Fix Version/s: 3.0 > Telnet client: not properly handling IAC bytes within subnegotiation messages > ----------------------------------------------------------------------------- > > Key: NET-345 > URL: https://issues.apache.org/jira/browse/NET-345 > Project: Commons Net > Issue Type: Bug > Components: Telnet > Affects Versions: 2.0 > Reporter: Archie Cobbs > Fix For: 3.0 > > Attachments: patch3.txt, patch4.txt > > > Subnegotiation messages in telnet are sent using the sequence {{IAC SB ... IAC SE}}. > Although it's not clearly spelled out in [RFC 854|http://tools.ietf.org/html/rfc854], any {{IAC}} ({{0xff}}) bytes inside these messages must be escaped by doubling. Other clients do this and this is the only behavior that makes sense. > The commons-net telnet client is failing both to escape and to unescape {{IAC}} bytes within subnegotiation messages. Moreover, if it does receive a valid {{IAC IAC}} sequence within a subnegotiation message, it will incorrectly jump back to "data" input mode, discarding the message and introducing its remainder as garbage in the data stream. > In addition, the code fails to check for an overflow of the subnegotiation buffer, which would cause an {{ArrayIndexOutOfBounds}} exception if a malicious peer triggered this condition. > Finally, a {{IAC SE}} sequence appearing by itself should probably be discarded, rather than passing as a command to the handler. > I'm attaching a patch to fix these issues. -- This message is automatically generated by JIRA. - For more information on JIRA, see: http://www.atlassian.com/software/jira