Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 54784 Details for
Bug 87145
app-crypt/mit-krb5 buffer overflow in telnet client
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Backported patch to 1.3.6
krb5-1.3.6-telnet.patch (text/plain), 1.93 KB, created by
Ryan Phillips (RETIRED)
on 2005-03-29 11:55:49 UTC
(
hide
)
Description:
Backported patch to 1.3.6
Filename:
MIME Type:
Creator:
Ryan Phillips (RETIRED)
Created:
2005-03-29 11:55:49 UTC
Size:
1.93 KB
patch
obsolete
>diff -ur krb5-1.3.6-orig/src/appl/telnet/telnet/telnet.c krb5-1.3.6/src/appl/telnet/telnet/telnet.c >--- krb5-1.3.6-orig/src/appl/telnet/telnet/telnet.c 2005-03-29 11:47:19.320798688 -0800 >+++ krb5-1.3.6/src/appl/telnet/telnet/telnet.c 2005-03-29 11:54:57.479148032 -0800 >@@ -1475,6 +1475,8 @@ > unsigned char flags; > cc_t value; > { >+ if ((slc_replyp - slc_reply) + 6 > sizeof(slc_reply)) >+ return; > if ((*slc_replyp++ = func) == IAC) > *slc_replyp++ = IAC; > if ((*slc_replyp++ = flags) == IAC) >@@ -1488,11 +1490,14 @@ > { > register int len; > >- *slc_replyp++ = IAC; >- *slc_replyp++ = SE; > len = slc_replyp - slc_reply; >- if (len <= 6) >+ if (len <= 4 || (len + 2 > sizeof(slc_reply))) > return; >+ >+ *slc_replyp++ = IAC; >+ *slc_replyp++ = SE; >+ len += 2; >+ > if (NETROOM() > len) { > ring_supply_data(&netoring, slc_reply, slc_replyp - slc_reply); > printsub('>', &slc_reply[2], slc_replyp - slc_reply - 2); >@@ -1645,6 +1650,7 @@ > register unsigned char *ep; > { > register unsigned char *vp, c; >+ unsigned int len, olen, elen; > > if (opt_reply == NULL) /*XXX*/ > return; /*XXX*/ >@@ -1662,19 +1668,19 @@ > return; > } > vp = env_getvalue(ep); >- if (opt_replyp + (vp ? strlen((char *)vp) : 0) + >- strlen((char *)ep) + 6 > opt_replyend) >+ elen = 2 * (vp ? strlen((char *)vp) : 0) + >+ 2 * strlen((char *)ep) + 6; >+ if ((opt_replyend - opt_replyp) < elen) > { >- register unsigned int len; >- opt_replyend += OPT_REPLY_SIZE; >- len = opt_replyend - opt_reply; >+ len = opt_replyend - opt_reply + elen; >+ olen = opt_replyp - opt_reply; > opt_reply = (unsigned char *)realloc(opt_reply, len); > if (opt_reply == NULL) { > /*@*/ printf("env_opt_add: realloc() failed!!!\n"); > opt_reply = opt_replyp = opt_replyend = NULL; > return; > } >- opt_replyp = opt_reply + len - (opt_replyend - opt_replyp); >+ opt_replyp = opt_reply + olen; > opt_replyend = opt_reply + len; > } > if (opt_welldefined((char *) ep))
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 87145
: 54784