Buffer overflow and environment passing fixes [originally inspired from

FreeBSD]. We really didn't need the environment fixes, but for the sake
of keeping the code as close as possible...

libexec/telnetd/defs.h

@@ -1,4 +1,4 @@
-/*	$NetBSD: defs.h,v 1.7 1998/04/01 15:05:10 kleink Exp $	*/
+/*	$NetBSD: defs.h,v 1.8 2000/11/19 20:17:39 christos Exp $	*/
 
 /*
  * Copyright (c) 1989, 1993
@@ -298,3 +298,8 @@ typedef struct {
 
 #define his_will_wont_is_changing	my_do_dont_is_changing
 #define his_do_dont_is_changing		my_will_wont_is_changing
+
+/*
+ * Initialization buffer for tty device [16 characters long]
+ */
+#define NULL16STR	"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"

libexec/telnetd/sys_term.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: sys_term.c,v 1.18 1999/12/31 12:42:35 tron Exp $	*/
+/*	$NetBSD: sys_term.c,v 1.19 2000/11/19 20:17:39 christos Exp $	*/
 
 /*
  * Copyright (c) 1989, 1993
@@ -38,7 +38,7 @@
 #if 0
 static char sccsid[] = "@(#)sys_term.c	8.4+1 (Berkeley) 5/30/95";
 #else
-__RCSID("$NetBSD: sys_term.c,v 1.18 1999/12/31 12:42:35 tron Exp $");
+__RCSID("$NetBSD: sys_term.c,v 1.19 2000/11/19 20:17:39 christos Exp $");
 #endif
 #endif /* not lint */
 
@@ -482,13 +482,13 @@ getnpty()
  * Returns the file descriptor of the opened pty.
  */
 #ifndef	__GNUC__
-char *line = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";
+char *line = NULL16STR;
 #else
-static char Xline[] = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";
+static char Xline[] = NULL16STR;
 char *line = Xline;
 #endif
 #ifdef	CRAY
-char *myline = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";
+char *myline = NULL16STR;
 #endif	/* CRAY */
 
 #ifdef OPENPTY_PTY
@@ -522,7 +522,7 @@ int *ptynum;
 	if (p > 0) {
 		grantpt(p);
 		unlockpt(p);
-		strcpy(line, ptsname(p));
+		(void)strlcpy(line, ptsname(p), sizeof(NULL16STR));
 		return(p);
 	}
 
@@ -1601,7 +1601,7 @@ start_login(host, autologin, name)
 #endif
 #ifdef SOLARIS
 	char *term;
-	char termbuf[64];
+	char termnamebuf[64];
 #endif
 
 #ifdef	UTMPX
@@ -1655,9 +1655,10 @@ start_login(host, autologin, name)
 		if (term == NULL || term[0] == 0) {
 			term = "-";
 		} else {
-			strcpy(termbuf, "TERM=");
-			strncat(termbuf, term, sizeof(termbuf) - 6);
-			term = termbuf;
+			(void)strcpy(termnamebuf, "TERM=");
+			(void)strlcpy(&termnamebuf[5], term,
+			    sizeof(termnamebuf) - 6);
+			term = termnamebuf;
 		}
 		argv = addarg(argv, term);
 #endif
@@ -1893,6 +1894,17 @@ scrub_env()
 		if (strncmp(*cpp, "LD_", 3) &&
 		    strncmp(*cpp, "_RLD_", 5) &&
 		    strncmp(*cpp, "LIBPATH=", 8) &&
+		    strncmp(*cpp, "LOCALDOMAIN=", 12) &&
+		    strncmp(*cpp, "RES_OPTIONS=", 12) &&
+		    strncmp(*cpp, "TERMINFO=", 9) &&
+		    strncmp(*cpp, "TERMINFO_DIRS=", 14) &&
+		    /*
+		     * We dissallow TERMPATH and TERMCAP
+		     * entries that reference files.
+		     */
+		    strncmp(*cpp, "TERMPATH=", 9) &&
+		    strncmp(*cpp, "TERMCAP=/", 9) &&
+		    strncmp(*cpp, "ENV=", 4) &&
 		    strncmp(*cpp, "IFS=", 4))
 			*cpp2++ = *cpp;
 	}

libexec/telnetd/telnetd.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: telnetd.c,v 1.22 2000/08/18 03:25:52 itojun Exp $	*/
+/*	$NetBSD: telnetd.c,v 1.23 2000/11/19 20:17:39 christos Exp $	*/
 
 /*
  * Copyright (C) 1997 and 1998 WIDE Project.
@@ -69,7 +69,7 @@ __COPYRIGHT("@(#) Copyright (c) 1989, 1993\n\
 #if 0
 static char sccsid[] = "@(#)telnetd.c	8.4 (Berkeley) 5/30/95";
 #else
-__RCSID("$NetBSD: telnetd.c,v 1.22 2000/08/18 03:25:52 itojun Exp $");
+__RCSID("$NetBSD: telnetd.c,v 1.23 2000/11/19 20:17:39 christos Exp $");
 #endif
 #endif /* not lint */
 
@@ -922,13 +922,12 @@ doit(who)
 #else
 	for (;;) {
 		char *lp;
-		extern char *line;
 
 		if ((lp = getpty()) == NULL)
 			fatal(net, "Out of ptys");
 
 		if ((pty = open(lp, 2)) >= 0) {
-			strcpy(line,lp);
+			(void)strlcpy(line, lp, sizeof(NULL16STR));
 			line[5] = 't';
 			break;
 		}
@@ -1239,7 +1238,7 @@ telnet(f, p, host)
 		IM = getstr("im", &cp);
 		IF = getstr("if", &cp);
 		if (HN && *HN)
-			(void) strcpy(host_name, HN);
+			(void)strlcpy(host_name, HN, sizeof(host_name));
 		if (IM == 0)
 			IM = "";
 	} else {