Attachment 52319 Details for Bug 83596 – telnet-bsd-1.1-slc-env-overflow.diff

[patch] telnet-bsd-1.1-slc-env-overflow.diff

telnet-bsd-1.1-slc-env-overflow.diff (text/plain), 1.14 KB, created by Sune Kloppenborg Jeppesen (RETIRED) on 2005-02-28 13:08:34 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Sune Kloppenborg Jeppesen (RETIRED)

Created: 2005-02-28 13:08:34 UTC

Size: 1.14 KB

patch

obsolete

>diff -ruN telnet-bsd-1.1/telnet/telnet.c telnet-bsd-1.1.fixed/telnet/telnet.c
>--- telnet-bsd-1.1/telnet/telnet.c	2004-02-14 05:11:27.000000000 -0800
>+++ telnet-bsd-1.1.fixed/telnet/telnet.c	2005-02-23 07:21:09.898412008 -0800
>@@ -1245,6 +1245,10 @@
> void
> slc_add_reply (unsigned char func, unsigned char flags, cc_t value)
> {
>+  if (slc_replyp + 6 >= slc_reply + sizeof(slc_reply)) {
>+     printf("slc_add_reply: not enough room\n");
>+     return;
>+  }
>   if ((*slc_replyp++ = func) == IAC)
>     *slc_replyp++ = IAC;
>   if ((*slc_replyp++ = flags) == IAC)
>@@ -1258,6 +1262,10 @@
> {
>   int len;
> 
>+  if (slc_replyp + 2 >= slc_reply + sizeof(slc_reply)) {
>+    printf("slc_end_reply: not enough room\n");
>+    return;
>+  }
>   *slc_replyp++ = IAC;
>   *slc_replyp++ = SE;
>   len = slc_replyp - slc_reply;
>@@ -1416,7 +1424,11 @@
>     {
>       int len;
>       unsigned char *p;
>+      /* Pointer wrap should be no issue here */
>       opt_replyend += OPT_REPLY_SIZE;
>+      opt_replyend += 2*strlen(ep);
>+      if (vp)
>+        opt_replyend += 2*strlen(vp);
>       len = opt_replyend - opt_reply;
>       p = (unsigned char *) realloc (opt_reply, len);
>       if (p == NULL)

Actions: View | Diff

Attachments on bug 83596: 52319 | 52622 | 54257