plug buffer overflows, see
http://www.idefense.com/application/poi/display?id=220&type=vulnerabilities http://www.idefense.com/application/poi/display?id=221&type=vulnerabilities (CAN 2005-0468 and 2005-0469) Patch taken from MIT/Kerberos (MITKRB5-SA-2005-001-telnet.txt)
This commit is contained in:
drochner
parent
d1238feea1
commit
6ff7079afd
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: telnet.c,v 1.29 2004/11/04 07:22:47 dsl Exp $ */
|
||||
/* $NetBSD: telnet.c,v 1.30 2005/03/29 12:18:28 drochner Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 1988, 1990, 1993
|
||||
|
|
@ -34,7 +34,7 @@
|
|||
#if 0
|
||||
static char sccsid[] = "@(#)telnet.c 8.4 (Berkeley) 5/30/95";
|
||||
#else
|
||||
__RCSID("$NetBSD: telnet.c,v 1.29 2004/11/04 07:22:47 dsl Exp $");
|
||||
__RCSID("$NetBSD: telnet.c,v 1.30 2005/03/29 12:18:28 drochner Exp $");
|
||||
#endif
|
||||
#endif /* not lint */
|
||||
|
||||
|
|
@ -1440,6 +1440,8 @@ slc_start_reply(void)
|
|||
void
|
||||
slc_add_reply(unsigned int func, unsigned int flags, cc_t value)
|
||||
{
|
||||
if ((slc_replyp - slc_reply) + 6 > sizeof(slc_reply))
|
||||
return;
|
||||
if ((*slc_replyp++ = func) == IAC)
|
||||
*slc_replyp++ = IAC;
|
||||
if ((*slc_replyp++ = flags) == IAC)
|
||||
|
|
@ -1453,11 +1455,12 @@ slc_end_reply(void)
|
|||
{
|
||||
int len;
|
||||
|
||||
len = slc_replyp - slc_reply;
|
||||
if (len <= 4 || (len + 2 > sizeof(slc_reply)))
|
||||
return;
|
||||
*slc_replyp++ = IAC;
|
||||
*slc_replyp++ = SE;
|
||||
len = slc_replyp - slc_reply;
|
||||
if (len <= 6)
|
||||
return;
|
||||
len += 2;
|
||||
if (NETROOM() > len) {
|
||||
ring_supply_data(&netoring, slc_reply, slc_replyp - slc_reply);
|
||||
printsub('>', &slc_reply[2], slc_replyp - slc_reply - 2);
|
||||
|
|
@ -1612,6 +1615,7 @@ void
|
|||
env_opt_add(unsigned char *ep)
|
||||
{
|
||||
unsigned char *vp, c;
|
||||
unsigned int len, olen, elen;
|
||||
|
||||
if (opt_reply == NULL) /*XXX*/
|
||||
return; /*XXX*/
|
||||
|
|
@ -1629,13 +1633,13 @@ env_opt_add(unsigned char *ep)
|
|||
return;
|
||||
}
|
||||
vp = env_getvalue(ep);
|
||||
if (opt_replyp + (vp ? strlen((char *)vp) : 0) +
|
||||
strlen((char *)ep) + 6 > opt_replyend)
|
||||
elen = 2 * (vp ? strlen((char *)vp) : 0) +
|
||||
2 * strlen((char *)ep) + 6;
|
||||
if ((opt_replyend - opt_replyp) < elen)
|
||||
{
|
||||
int len;
|
||||
unsigned char *p;
|
||||
opt_replyend += OPT_REPLY_SIZE;
|
||||
len = opt_replyend - opt_reply;
|
||||
len = opt_replyend - opt_reply + elen;
|
||||
olen = opt_replyp - opt_reply;
|
||||
p = (unsigned char *)realloc(opt_reply, len);
|
||||
if (p == NULL)
|
||||
free(opt_reply);
|
||||
|
|
@ -1645,7 +1649,7 @@ env_opt_add(unsigned char *ep)
|
|||
opt_reply = opt_replyp = opt_replyend = NULL;
|
||||
return;
|
||||
}
|
||||
opt_replyp = opt_reply + len - (opt_replyend - opt_replyp);
|
||||
opt_replyp = opt_reply + olen;
|
||||
opt_replyend = opt_reply + len;
|
||||
}
|
||||
if (opt_welldefined(ep))
|
||||
|
|
|
|||
Loading…
Reference in New Issue