d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

When telnetd(8) composes argument list for login(1), an unexpected sequence

Browse Source 
of memory allocation failures combined with insufficient error checking
could result in the construction and execution of an argument sequence that
was not intended.

Fix that treating malloc(3) failures as fatal condition.

Submitted by:	brooks
Security:	FreeBSD-SA-16:36.telnetd
This commit is contained in:
Gleb Smirnoff 2016-12-06 18:50:22 +00:00
parent 0d49655f96
commit f5c44977ff
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
contrib/telnet/telnetd/sys_term.c
View File

@ -1159,7 +1159,7 @@ addarg(char **argv, const char *val)
*/
argv = (char **)malloc(sizeof(*argv) * 12);
if (argv == NULL)
return(NULL);
fatal(net, "failure allocating argument space");
*argv++ = (char *)10;
*argv = (char *)0;
}
@ -1170,11 +1170,12 @@ addarg(char **argv, const char *val)
*argv = (char *)((long)(*argv) + 10);
argv = (char **)realloc(argv, sizeof(*argv)*((long)(*argv) + 2));
if (argv == NULL)
return(NULL);
fatal(net, "failure allocating argument space");
argv++;
cpp = &argv[(long)argv[-1] - 10];
}
*cpp++ = strdup(val);
if ((*cpp++ = strdup(val)) == NULL)
fatal(net, "failure allocating argument space");
*cpp = 0;
return(argv);
}