https://blog.qife122.com/tags/%E6%8C%87%E9%92%88%E4%B8%8B%E6%BA%A2/ Recent content in 指针下溢 on 办公AI智能小助手 Hugo zh-cn qife Tue, 30 Dec 2025 12:50:56 +0800 https://blog.qife122.com/p/curl%E5%BA%93telnet%E5%8D%8F%E8%AE%AE%E5%A4%84%E7%90%86%E5%99%A8%E4%B8%AD%E7%9A%84%E6%8C%87%E9%92%88%E4%B8%8B%E6%BA%A2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/ Tue, 30 Dec 2025 12:50:56 +0800 https://blog.qife122.com/p/curl%E5%BA%93telnet%E5%8D%8F%E8%AE%AE%E5%A4%84%E7%90%86%E5%99%A8%E4%B8%AD%E7%9A%84%E6%8C%87%E9%92%88%E4%B8%8B%E6%BA%A2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/ <h1 id="telnet子选项缓冲区指针下溢导致越界读取漏洞分析">Telnet子选项缓冲区指针下溢导致越界读取漏洞分析</h1> <h2 id="漏洞概述">漏洞概述</h2> <p>在curl的telnet协议处理器（lib/telnet.c）中存在缓冲区指针下溢漏洞。当在<code>CURL_TS_SE</code>状态处理telnet子选项时，代码无条件地将子选项缓冲区指针递减2（<code>subpointer -= 2</code>），即使<code>CURL_SB_ACCUM</code>宏因缓冲区已满而跳过写入操作。这导致随后调用<code>suboption()</code>和<code>printsub()</code>时发生越界读取。</p>