More potential buffer overflow fixes.

o Fixed `nfrontp' calculations in output_data().  If `remaining' is
  initially zero, it was possible for `nfrontp' to be decremented.

Noticed by:	dillon

o Replaced leaking writenet() with output_datalen():

:  * writenet
:  *
:  * Just a handy little function to write a bit of raw data to the net.
:  * It will force a transmit of the buffer if necessary
:  *
:  * arguments
:  *    ptr - A pointer to a character string to write
:  *    len - How many bytes to write
:  */
: 	void
: writenet(ptr, len)
: 	register unsigned char *ptr;
: 	register int len;
: {
: 	/* flush buffer if no room for new data) */
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
: 	if ((&netobuf[BUFSIZ] - nfrontp) < len) {
: 		/* if this fails, don't worry, buffer is a little big */
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
: 		netflush();
: 	}
:
: 	memmove(nfrontp, ptr, len);
: 	nfrontp += len;
:
: }  /* end of writenet */

What an irony!  :-)

o Optimized output_datalen() a bit.

contrib/telnet/telnetd/ext.h

@@ -74,7 +74,7 @@ extern char	ptyobuf[BUFSIZ+NETSLOP], *pfrontp, *pbackp;
 
 extern char	netibuf[BUFSIZ], *netip;
 
-extern char	netobuf[BUFSIZ+NETSLOP], *nfrontp, *nbackp;
+extern char	netobuf[BUFSIZ], *nfrontp, *nbackp;
 extern char	*neturg;		/* one past last bye of urgent data */
 
 extern int	pcc, ncc;
@@ -187,8 +187,7 @@ extern void
 	tty_setsofttab P((int)),
 	tty_tspeed P((int)),
 	willoption P((int)),
-	wontoption P((int)),
-	writenet P((unsigned char *, int));
+	wontoption P((int));
 
 int	output_data __P((const char *, ...)) __printflike(1, 2);
 int	output_datalen __P((const char *, size_t));

contrib/telnet/telnetd/slc.c

@@ -204,7 +204,7 @@ end_slc(bufp)
 			(void) sprintf((char *)slcptr, "%c%c", IAC, SE);
 			slcptr += 2;
 			len = slcptr - slcbuf;
-			writenet(slcbuf, len);
+			output_datalen(slcbuf, len);
 			netflush();  /* force it out immediately */
 			DIAG(TD_OPTIONS, printsub('>', slcbuf+2, len-2););
 		}

contrib/telnet/telnetd/state.c

@@ -1606,7 +1606,7 @@ send_status()
 	ADD(IAC);
 	ADD(SE);
 
-	writenet(statusbuf, ncp - statusbuf);
+	output_datalen(statusbuf, ncp - statusbuf);
 	netflush();	/* Send it on its way */
 
 	DIAG(TD_OPTIONS,
@@ -1631,7 +1631,7 @@ output_data(const char *format, ...)
 		remaining = BUFSIZ - (nfrontp - netobuf);
 	}
 	ret = vsnprintf(nfrontp, remaining, format, args);
-	nfrontp += ((ret < remaining - 1) ? ret : remaining - 1);
+	nfrontp += (ret < remaining) ? ret : remaining;
 	va_end(args);
 	return ret;
 }
@@ -1645,9 +1645,9 @@ output_datalen(const char *buf, size_t len)
 	if (remaining < len) {
 		netflush();
 		remaining = BUFSIZ - (nfrontp - netobuf);
+		if (remaining < len)
+			return -1;
 	}
-	if (remaining < len)
-		return -1;
 	memmove(nfrontp, buf, len);
 	nfrontp += len;
 	return (len);

contrib/telnet/telnetd/utility.c

@@ -317,33 +317,6 @@ netflush()
 }  /* end of netflush */
 
 
-/*
- * writenet
- *
- * Just a handy little function to write a bit of raw data to the net.
- * It will force a transmit of the buffer if necessary
- *
- * arguments
- *    ptr - A pointer to a character string to write
- *    len - How many bytes to write
- */
-	void
-writenet(ptr, len)
-	register unsigned char *ptr;
-	register int len;
-{
-	/* flush buffer if no room for new data) */
-	if ((&netobuf[BUFSIZ] - nfrontp) < len) {
-		/* if this fails, don't worry, buffer is a little big */
-		netflush();
-	}
-
-	memmove(nfrontp, ptr, len);
-	nfrontp += len;
-
-}  /* end of writenet */
-
-
 /*
  * miscellaneous functions doing a variety of little jobs follow ...
  */

crypto/telnet/telnetd/ext.h

@@ -74,7 +74,7 @@ extern char	ptyobuf[BUFSIZ+NETSLOP], *pfrontp, *pbackp;
 
 extern char	netibuf[BUFSIZ], *netip;
 
-extern char	netobuf[BUFSIZ+NETSLOP], *nfrontp, *nbackp;
+extern char	netobuf[BUFSIZ], *nfrontp, *nbackp;
 extern char	*neturg;		/* one past last bye of urgent data */
 
 extern int	pcc, ncc;
@@ -187,8 +187,7 @@ extern void
 	tty_setsofttab P((int)),
 	tty_tspeed P((int)),
 	willoption P((int)),
-	wontoption P((int)),
-	writenet P((unsigned char *, int));
+	wontoption P((int));
 
 int	output_data __P((const char *, ...)) __printflike(1, 2);
 int	output_datalen __P((const char *, size_t));

crypto/telnet/telnetd/slc.c

@@ -204,7 +204,7 @@ end_slc(bufp)
 			(void) sprintf((char *)slcptr, "%c%c", IAC, SE);
 			slcptr += 2;
 			len = slcptr - slcbuf;
-			writenet(slcbuf, len);
+			output_datalen(slcbuf, len);
 			netflush();  /* force it out immediately */
 			DIAG(TD_OPTIONS, printsub('>', slcbuf+2, len-2););
 		}

crypto/telnet/telnetd/state.c

@@ -1606,7 +1606,7 @@ send_status()
 	ADD(IAC);
 	ADD(SE);
 
-	writenet(statusbuf, ncp - statusbuf);
+	output_datalen(statusbuf, ncp - statusbuf);
 	netflush();	/* Send it on its way */
 
 	DIAG(TD_OPTIONS,
@@ -1631,7 +1631,7 @@ output_data(const char *format, ...)
 		remaining = BUFSIZ - (nfrontp - netobuf);
 	}
 	ret = vsnprintf(nfrontp, remaining, format, args);
-	nfrontp += ((ret < remaining - 1) ? ret : remaining - 1);
+	nfrontp += (ret < remaining) ? ret : remaining;
 	va_end(args);
 	return ret;
 }
@@ -1645,9 +1645,9 @@ output_datalen(const char *buf, size_t len)
 	if (remaining < len) {
 		netflush();
 		remaining = BUFSIZ - (nfrontp - netobuf);
+		if (remaining < len)
+			return -1;
 	}
-	if (remaining < len)
-		return -1;
 	memmove(nfrontp, buf, len);
 	nfrontp += len;
 	return (len);

crypto/telnet/telnetd/utility.c

@@ -317,33 +317,6 @@ netflush()
 }  /* end of netflush */
 
 
-/*
- * writenet
- *
- * Just a handy little function to write a bit of raw data to the net.
- * It will force a transmit of the buffer if necessary
- *
- * arguments
- *    ptr - A pointer to a character string to write
- *    len - How many bytes to write
- */
-	void
-writenet(ptr, len)
-	register unsigned char *ptr;
-	register int len;
-{
-	/* flush buffer if no room for new data) */
-	if ((&netobuf[BUFSIZ] - nfrontp) < len) {
-		/* if this fails, don't worry, buffer is a little big */
-		netflush();
-	}
-
-	memmove(nfrontp, ptr, len);
-	nfrontp += len;
-
-}  /* end of writenet */
-
-
 /*
  * miscellaneous functions doing a variety of little jobs follow ...
  */