Fix buffer overflow when DISPLAY is longer than 43 characters. This
is not exploitable because telnet doesn't run with elevated privs. Didn't fix all the other potential buffer overflows. Would be a good task for someone who has lots of time to carefully study each case because cut and paste solutions are dangerous for this code base. Added $FreeBSD$ in the same way that command.c did it.
This commit is contained in:
Warner Losh
parent
80d92dc27e
commit
fbbed1ea76
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=66151
@ -29,6 +29,8 @@
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $FreeBSD$
|
||||
*/
|
||||
|
||||
#ifndef lint
|
||||
@ -946,16 +948,17 @@ suboption()
|
||||
unsigned char temp[50], *dp;
|
||||
int len;
|
||||
|
||||
if ((dp = env_getvalue((unsigned char *)"DISPLAY")) == NULL) {
|
||||
if ((dp = env_getvalue((unsigned char *)"DISPLAY")) == NULL ||
|
||||
strlen(dp) > sizeof(temp) - 7) {
|
||||
/*
|
||||
* Something happened, we no longer have a DISPLAY
|
||||
* variable. So, turn off the option.
|
||||
* variable. Or it is too long. So, turn off the option.
|
||||
*/
|
||||
send_wont(TELOPT_XDISPLOC, 1);
|
||||
break;
|
||||
}
|
||||
sprintf((char *)temp, "%c%c%c%c%s%c%c", IAC, SB, TELOPT_XDISPLOC,
|
||||
TELQUAL_IS, dp, IAC, SE);
|
||||
snprintf((char *)temp, sizeof(temp), "%c%c%c%c%s%c%c", IAC, SB,
|
||||
TELOPT_XDISPLOC, TELQUAL_IS, dp, IAC, SE);
|
||||
len = strlen((char *)temp+4) + 4; /* temp[3] is 0 ... */
|
||||
|
||||
if (len < NETROOM()) {
|
||||
|
||||
Loading…
Reference in New Issue
Block a user