Add regression test for TelnetLayer stale offset heap-buffer-overflow

alacrity-aya · alacrity-aya · commit 96ba7792ecfc · 2026-05-25T09:43:35.000+08:00
Test TelnetCommandAfterDataParsingTests verifies that getOption(TelnetCommand)
and getOptionData(TelnetCommand, size_t&amp;) work correctly when user data
(escaped IAC) precedes a command field, which previously caused a
heap-buffer-overflow due to stale offset calculation.
diff --git a/Tests/Packet++Test/PacketExamples/telnetCommandAfterData.dat b/Tests/Packet++Test/PacketExamples/telnetCommandAfterData.dat
@@ -0,0 +1 @@
+00112233445566778899aabb08004500002e1234400040060000c0a80a01c0a80a0200173039000000000000000050187fff00000000fffffffa1700
diff --git a/Tests/Packet++Test/TestDefinition.h b/Tests/Packet++Test/TestDefinition.h
@@ -236,6 +236,7 @@ PTF_TEST_CASE(NtpCreationTests);
 
 // Implemented in TelnetTests.cpp
 PTF_TEST_CASE(TelnetCommandParsingTests);
+PTF_TEST_CASE(TelnetCommandAfterDataParsingTests);
 PTF_TEST_CASE(TelnetDataParsingTests);
 
 // Implemented in IcmpV6Tests.cpp
diff --git a/Tests/Packet++Test/Tests/TelnetTests.cpp b/Tests/Packet++Test/Tests/TelnetTests.cpp
@@ -255,6 +255,40 @@ PTF_TEST_CASE(TelnetCommandParsingTests)
 	}
 }
 
+PTF_TEST_CASE(TelnetCommandAfterDataParsingTests)
+{
+	// Regression test for heap-buffer-overflow in getOption(TelnetCommand) / getOptionData(TelnetCommand, size_t&)
+	// when user data (escaped IAC) precedes a command. The stale offset bug caused reads past the buffer end.
+	// Payload: FF FF (escaped IAC = user data) + FF FA 17 00 (IAC SB SendLocation 0x00)
+	auto rawPacket1 = createPacketFromHexResource("PacketExamples/telnetCommandAfterData.dat");
+
+	pcpp::Packet telnetPacket(rawPacket1.get());
+	pcpp::TelnetLayer* telnetLayer = telnetPacket.getLayerOfType<pcpp::TelnetLayer>();
+
+	PTF_ASSERT_NOT_NULL(telnetLayer);
+
+	// Total commands: 1 (the subnegotiation)
+	PTF_ASSERT_EQUAL(telnetLayer->getTotalNumberOfCommands(), 1);
+
+	// getFirstCommand should find the subnegotiation
+	PTF_ASSERT_EQUAL(telnetLayer->getFirstCommand(), pcpp::TelnetLayer::TelnetCommand::Subnegotiation, enumclass);
+
+	// getOption(Subnegotiation) should return SendLocation without crashing
+	PTF_ASSERT_EQUAL(telnetLayer->getOption(pcpp::TelnetLayer::TelnetCommand::Subnegotiation),
+	                 pcpp::TelnetLayer::TelnetOption::SendLocation, enumclass);
+
+	// getOptionData(Subnegotiation) should return the subneg data without crashing
+	size_t length = 0;
+	uint8_t* optData = telnetLayer->getOptionData(pcpp::TelnetLayer::TelnetCommand::Subnegotiation, length);
+	PTF_ASSERT_NOT_NULL(optData);
+	PTF_ASSERT_EQUAL(length, 1);
+	PTF_ASSERT_EQUAL(optData[0], 0x00);
+
+	// getOption for a command that doesn't exist should return NoOption without crashing
+	PTF_ASSERT_EQUAL(telnetLayer->getOption(pcpp::TelnetLayer::TelnetCommand::WillPerform),
+	                 pcpp::TelnetLayer::TelnetOption::TelnetOptionNoOption, enumclass);
+}
+
 PTF_TEST_CASE(TelnetDataParsingTests)
 {
 
diff --git a/Tests/Packet++Test/main.cpp b/Tests/Packet++Test/main.cpp
@@ -325,6 +325,7 @@ int main(int argc, char* argv[])
 	PTF_RUN_TEST(NtpCreationTests, "ntp");
 
 	PTF_RUN_TEST(TelnetCommandParsingTests, "telnet");
+	PTF_RUN_TEST(TelnetCommandAfterDataParsingTests, "telnet");
 	PTF_RUN_TEST(TelnetDataParsingTests, "telnet");
 
 	PTF_RUN_TEST(TpktLayerTest, "tpkt");

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+00112233445566778899aabb08004500002e1234400040060000c0a80a01c0a80a0200173039000000000000000050187fff00000000fffffffa1700`