Uploaded image for project: 'Commons Net'
  1. Commons Net
  2. NET-345

Telnet client: not properly handling IAC bytes within subnegotiation messages

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.0
    • Fix Version/s: 3.0
    • Component/s: Telnet
    • Labels:
      None

      Description

      Subnegotiation messages in telnet are sent using the sequence IAC SB ... IAC SE.

      Although it's not clearly spelled out in RFC 854, any IAC (0xff) bytes inside these messages must be escaped by doubling. Other clients do this and this is the only behavior that makes sense.

      The commons-net telnet client is failing both to escape and to unescape IAC bytes within subnegotiation messages. Moreover, if it does receive a valid IAC IAC sequence within a subnegotiation message, it will incorrectly jump back to "data" input mode, discarding the message and introducing its remainder as garbage in the data stream.

      In addition, the code fails to check for an overflow of the subnegotiation buffer, which would cause an ArrayIndexOutOfBounds exception if a malicious peer triggered this condition.

      Finally, a IAC SE sequence appearing by itself should probably be discarded, rather than passing as a command to the handler.

      I'm attaching a patch to fix these issues.

        Attachments

        1. patch4.txt
          1 kB
          Archie Cobbs
        2. patch3.txt
          2 kB
          Archie Cobbs

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              archie172 Archie Cobbs
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: