Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 54831 Details for
Bug 87019
net-misc/telnet-bsd buffer overflows
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
telnet-bsd-1.0 security patch
telnet-bsd-1.0-buffer_overflow_01.patch (text/plain), 2.26 KB, created by
Otavio Piske (RETIRED)
on 2005-03-30 05:30:14 UTC
(
hide
)
Description:
telnet-bsd-1.0 security patch
Filename:
MIME Type:
Creator:
Otavio Piske (RETIRED)
Created:
2005-03-30 05:30:14 UTC
Size:
2.26 KB
patch
obsolete
>--- telnet/telnet.c.orig 2005-03-30 09:17:58.000000000 -0300 >+++ telnet/telnet.c 2005-03-30 10:09:47.000000000 -0300 >@@ -1131,6 +1131,7 @@ > > > unsigned char slc_reply[128]; >+unsigned char const * const slc_reply_eom = &slc_reply[sizeof(slc_reply)]; > unsigned char *slc_replyp; > > void >@@ -1146,6 +1147,14 @@ > void > slc_add_reply(unsigned char func, unsigned char flags, cc_t value) > { >+ /* A sequence of up to 6 bytes my be written for this member of the SLC >+ * suboption list by this function. The end of negotiation command, >+ * which is written by slc_end_reply(), will require 2 additional >+ * bytes. Do not proceed unless there is sufficient space for these >+ * items. >+ */ >+ if (&slc_replyp[6+2] > slc_reply_eom) >+ return; > if ((*slc_replyp++ = func) == IAC) > *slc_replyp++ = IAC; > if ((*slc_replyp++ = flags) == IAC) >@@ -1159,6 +1168,10 @@ > { > int len; > >+ /* The end of negotiation command requires 2 bytes. */ >+ if (&slc_replyp[2] > slc_reply_eom) >+ return; >+ > *slc_replyp++ = IAC; > *slc_replyp++ = SE; > len = slc_replyp - slc_reply; >@@ -1236,8 +1249,8 @@ > } > } > >-#define OPT_REPLY_SIZE 256 >-unsigned char *opt_reply; >+#define OPT_REPLY_SIZE (2 * SUBBUFSIZE) >+unsigned char *opt_reply = NULL; > unsigned char *opt_replyp; > unsigned char *opt_replyend; > >@@ -1298,8 +1311,8 @@ > return; > } > vp = env_getvalue(ep); >- if (opt_replyp + (vp ? strlen((char *)vp) : 0) + >- strlen((char *)ep) + 6 > opt_replyend) >+ if (opt_replyp + (vp ? 2 * strlen((char *)vp) : 0) + >+ 2 * strlen((char *)ep) + 6 > opt_replyend) > { > int len; > unsigned char *p; >@@ -1323,6 +1336,8 @@ > *opt_replyp++ = ENV_USERVAR; > for (;;) { > while ((c = *ep++)) { >+ if (opt_replyp + (2 + 2) > opt_replyend) >+ return; > switch(c&0xff) { > case IAC: > *opt_replyp++ = IAC; >@@ -1337,6 +1352,8 @@ > *opt_replyp++ = c; > } > if ((ep = vp)) { >+ if (opt_replyp + (1 + 2 + 2) > opt_replyend) >+ return; > *opt_replyp++ = ENV_VALUE; > vp = NULL; > } else >@@ -1361,7 +1378,10 @@ > { > int len; > >- len = opt_replyp - opt_reply + 2; >+ if (opt_replyp + 2 > opt_replyend) >+ return; >+ len = opt_replyp + 2 - opt_reply; >+ > if (emptyok || len > 6) { > *opt_replyp++ = IAC; > *opt_replyp++ = SE;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=54831">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 87019
: 54831
