freebsd security - Apr 2016 - Signal 11 dumps in telnetd (freebsd 10.3 release)

See if the attached patch helps.

It applies cleanly to ports/security/krb5-appl, but may need adjustment 
for the base system telnetd.

  - Tim

On Sun, 24 Apr 2016, Rustam wrote:
> I got a couple of dozen dumps in /usr/libexec/telnetd (signal 11), and
I'm
> wondering what those could be.
>
> FreeBSD 10.3-RELEASE, built from source.
>
> Dump stack trace:
>  telrcv+333
>  ttloop+7C
>  doit+1687
>  main+64D
>
> Dump is at address 0x0000000000404713:
>
> .text:0004046E2 loc_4046E2:
> .text:0004046E2         test    byte ptr cs:diagnostic, 10h ; jumptable
> 0004046DB cases 11,12
> .text:0004046E9         jz      short loc_4046F7
> .text:0004046EB         mov     edi, offset fmt ; "td: recv IAC"
> .text:0004046F0         mov     esi, ebx        ; option
> .text:0004046F2         call    printoption
> .text:0004046F7 loc_4046F7:
> .text:0004046F7         call    ptyflush
> .text:0004046FC         call    init_termbuf
> .text:000404701         cmp     ebx, 0F7h
> .text:000404707         mov     eax, 6199D8h
> .text:00040470C         cmovz   rax, r14
> .text:000404710         mov     rax, [rax]
> .text:000404713         mov     al, [rax]      ; <========== Signal 11
HERE
> .text:000404715         cmp     al, 0FFh
> .text:000404717         jz      loc_40495A      ; jumptable 0004046DB
> default case
> .text:00040471D         mov     rcx, cs:pfrontp
> .text:000404724         lea     rdx, [rcx+1]
> .text:000404728         mov     cs:pfrontp, rdx
> .text:00040472F         mov     [rcx], al
> .text:000404731         mov     cs:telrcv_state, 0
> .text:00040473B         jmp     loc_4049A0
>
>
> Regards,
>
> Rustam
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at
freebsd.org"
>
-------------- next part --------------
--- telnet/telnetd/state.c.orig	2016-02-19 14:44:57.000000000 -0600
+++ telnet/telnetd/state.c	2016-02-19 14:47:44.000000000 -0600
@@ -227,16 +227,18 @@
 			case EC:
 			case EL:
 			    {
-				cc_t ch;
+				cc_t ch = (cc_t)(_POSIX_VDISABLE);
 
 				DIAG(TD_OPTIONS,
 					printoption("td: recv IAC", c));
 				ptyflush();	/* half-hearted */
 				init_termbuf();
 				if (c == EC)
-					ch = *slctab[SLC_EC].sptr;
+					if (slctab[SLC_EC].sptr)
+					  ch = *slctab[SLC_EC].sptr;
 				else
-					ch = *slctab[SLC_EL].sptr;
+					if (slctab[SLC_EL].sptr)
+					  ch = *slctab[SLC_EL].sptr;
 				if (ch != (cc_t)(_POSIX_VDISABLE))
 					*pfrontp++ = (unsigned char)ch;
 				break;

On Mon, 25 Apr 2016, Tim Zingelman wrote:
> See if the attached patch helps.
>
> It applies cleanly to ports/security/krb5-appl, but may need adjustment for
> the base system telnetd.
[Obligatory note that krb5-appl is unmaintained upstream, due to insecure
crypto, among other things.]

-Ben