Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 54257 Details for
Bug 83596
{netkit-telnetd|telnet-bsd|mit-krb5|heimdal?} information disclosure
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
CAN-2005-468_469.patch
CAN-2005-468_469.patch (text/plain), 4.32 KB, created by
Sune Kloppenborg Jeppesen (RETIRED)
on 2005-03-23 08:33:06 UTC
(
hide
)
Description:
CAN-2005-468_469.patch
Filename:
MIME Type:
Creator:
Sune Kloppenborg Jeppesen (RETIRED)
Created:
2005-03-23 08:33:06 UTC
Size:
4.32 KB
patch
obsolete
>--- netkit-telnet-0.17/telnet/telnet.c.CAN-2005-468_469 2005-03-17 13:48:58.000000000 +0100 >+++ netkit-telnet-0.17/telnet/telnet.c 2005-03-17 14:02:27.000000000 +0100 >@@ -1310,22 +1310,66 @@ > } > > >-unsigned char slc_reply[128]; >+#define SLC_REPLY_SIZE 128 >+unsigned char *slc_reply; > unsigned char *slc_replyp; >+unsigned char *slc_replyend; > > void > slc_start_reply(void) > { >+ slc_reply = (unsigned char *)malloc(SLC_REPLY_SIZE); >+ if (slc_reply == NULL) { >+/*@*/ printf("slc_start_reply: malloc()/realloc() failed!!!\n"); >+ slc_reply = slc_replyp = slc_replyend = NULL; >+ return; >+ } >+ > slc_replyp = slc_reply; >+ slc_replyend = slc_reply + SLC_REPLY_SIZE; > *slc_replyp++ = IAC; > *slc_replyp++ = SB; > *slc_replyp++ = TELOPT_LINEMODE; > *slc_replyp++ = LM_SLC; > } > >+static int >+slc_assure_buffer(int want_len); >+ >+ static int >+slc_assure_buffer(int want_len) >+{ >+ if ((slc_replyp + want_len) >= slc_replyend) { >+ int len; >+ int old_len = slc_replyp - slc_reply; >+ unsigned char *p; >+ >+ len = old_len >+ + (want_len / SLC_REPLY_SIZE + 1) * SLC_REPLY_SIZE; >+ p = (unsigned char *)realloc(slc_reply, len); >+ if (p == NULL) >+ free(slc_reply); >+ slc_reply = p; >+ if (slc_reply == NULL) { >+/*@*/ printf("slc_add_reply: realloc() failed!!!\n"); >+ slc_reply = slc_replyp = slc_replyend = NULL; >+ return 1; >+ } >+ slc_replyp = slc_reply + old_len; >+ slc_replyend = slc_reply + len; >+ } >+ return 0; >+} >+ > void > slc_add_reply(unsigned char func, unsigned char flags, cc_t value) > { >+ if (slc_assure_buffer(6)) >+ return; >+ >+ if (slc_replyp == NULL) >+ return; >+ > if ((*slc_replyp++ = func) == IAC) > *slc_replyp++ = IAC; > if ((*slc_replyp++ = flags) == IAC) >@@ -1339,6 +1383,12 @@ > { > int len; > >+ if (slc_assure_buffer(2)) >+ return; >+ >+ if (slc_replyp == NULL) >+ return; >+ > *slc_replyp++ = IAC; > *slc_replyp++ = SE; > len = slc_replyp - slc_reply; >@@ -1456,7 +1506,7 @@ > } > } > >-#define OPT_REPLY_SIZE 256 >+#define OPT_REPLY_SIZE 1024 > unsigned char *opt_reply; > unsigned char *opt_replyp; > unsigned char *opt_replyend; >@@ -1490,10 +1540,38 @@ > env_opt_start_info(void) > { > env_opt_start(); >- if (opt_replyp) >+ if (opt_replyp && (opt_replyp > opt_reply)) > opt_replyp[-1] = TELQUAL_INFO; > } > >+static int >+env_opt_assure_buffer(int want_len); >+ >+ static int >+env_opt_assure_buffer(int want_len) >+{ >+ if ((opt_replyp + want_len) >= opt_replyend) { >+ int len; >+ unsigned char *p; >+ int old_len = opt_replyp - opt_reply; >+ >+ len = old_len >+ + (want_len / OPT_REPLY_SIZE + 1) * OPT_REPLY_SIZE; >+ p = (unsigned char *)realloc(opt_reply, len); >+ if (p == NULL) >+ free(opt_reply); >+ opt_reply = p; >+ if (opt_reply == NULL) { >+/*@*/ printf("env_opt_add: realloc() failed!!!\n"); >+ opt_reply = opt_replyp = opt_replyend = NULL; >+ return 1; >+ } >+ opt_replyp = opt_reply + old_len; >+ opt_replyend = opt_reply + len; >+ } >+ return 0; >+} >+ > void > env_opt_add(unsigned char *ep) > { >@@ -1515,25 +1593,12 @@ > return; > } > vp = env_getvalue(ep, 1); >- if (opt_replyp + (vp ? strlen((char *)vp) : 0) + >- strlen((char *)ep) + 6 > opt_replyend) >- { >- int len; >- unsigned char *p; >- opt_replyend += OPT_REPLY_SIZE; >- len = opt_replyend - opt_reply; >- p = (unsigned char *)realloc(opt_reply, len); >- if (p == NULL) >- free(opt_reply); >- opt_reply = p; >- if (opt_reply == NULL) { >-/*@*/ printf("env_opt_add: realloc() failed!!!\n"); >- opt_reply = opt_replyp = opt_replyend = NULL; >- return; >- } >- opt_replyp = opt_reply + len - (opt_replyend - opt_replyp); >- opt_replyend = opt_reply + len; >- } >+ >+ /* use the double length in case it gots escaped */ >+ if (env_opt_assure_buffer((vp ? strlen((char *)vp)*2 : 0) + >+ strlen((char *)ep)*2 + 6)) >+ return; >+ > if (opt_welldefined((char *)ep)) > #ifdef OLD_ENVIRON > if (telopt_environ == TELOPT_OLD_ENVIRON) >@@ -1588,8 +1653,14 @@ > { > int len; > >+ if (opt_reply == NULL) /*XXX*/ >+ return; /*XXX*/ >+ >+ > len = opt_replyp - opt_reply + 2; > if (emptyok || len > 6) { >+ if (env_opt_assure_buffer(2)) >+ return; > *opt_replyp++ = IAC; > *opt_replyp++ = SE; > if (NETROOM() > len) {
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 83596
:
52319
|
52622
| 54257