> It seems that the pnserver bug was different than first thought. The > telnet client sends 6 characters that crash the server when its own > maxbuffer is reached. Here is a working exploit. > sprintf(buffer, "%c%c%c%c%c", 255, 244, 255, 253, 6); > write(sock, &buffer[0], strlen(buffer)); (Um, that's only 5 characters.) Hmmm. In telnet terms, IAC IP IAC DO TIMING-MARK. (See RFCs 854 and 860 for more.) What telnet client is this? Not to imply that pnserver is not wrong to crash, but this looks like a somewhat weird thing for a telnet client to send - or have I missed part of the discussion? This would make sense if the telnet client generated it in response to something like a terminal interrupt character. der Mouse mouseat_private 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:39:38 PDT