More potential buffer overflow fixes.
o Fixed `nfrontp' calculations in output_data(). If `remaining' is initially zero, it was possible for `nfrontp' to be decremented. Noticed by: dillon o Replaced leaking writenet() with output_datalen(): : * writenet : * : * Just a handy little function to write a bit of raw data to the net. : * It will force a transmit of the buffer if necessary : * : * arguments : * ptr - A pointer to a character string to write : * len - How many bytes to write : */ : void : writenet(ptr, len) : register unsigned char *ptr; : register int len; : { : /* flush buffer if no room for new data) */ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ : if ((&netobuf[BUFSIZ] - nfrontp) < len) { : /* if this fails, don't worry, buffer is a little big */ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ : netflush(); : } : : memmove(nfrontp, ptr, len); : nfrontp += len; : : } /* end of writenet */ What an irony! :-) o Optimized output_datalen() a bit.
This commit is contained in:
parent
f7ae7f1d00
commit
40e7fc1a20
@ -74,7 +74,7 @@ extern char ptyobuf[BUFSIZ+NETSLOP], *pfrontp, *pbackp;
|
||||
|
||||
extern char netibuf[BUFSIZ], *netip;
|
||||
|
||||
extern char netobuf[BUFSIZ+NETSLOP], *nfrontp, *nbackp;
|
||||
extern char netobuf[BUFSIZ], *nfrontp, *nbackp;
|
||||
extern char *neturg; /* one past last bye of urgent data */
|
||||
|
||||
extern int pcc, ncc;
|
||||
@ -187,8 +187,7 @@ extern void
|
||||
tty_setsofttab P((int)),
|
||||
tty_tspeed P((int)),
|
||||
willoption P((int)),
|
||||
wontoption P((int)),
|
||||
writenet P((unsigned char *, int));
|
||||
wontoption P((int));
|
||||
|
||||
int output_data __P((const char *, ...)) __printflike(1, 2);
|
||||
int output_datalen __P((const char *, size_t));
|
||||
|
@ -204,7 +204,7 @@ end_slc(bufp)
|
||||
(void) sprintf((char *)slcptr, "%c%c", IAC, SE);
|
||||
slcptr += 2;
|
||||
len = slcptr - slcbuf;
|
||||
writenet(slcbuf, len);
|
||||
output_datalen(slcbuf, len);
|
||||
netflush(); /* force it out immediately */
|
||||
DIAG(TD_OPTIONS, printsub('>', slcbuf+2, len-2););
|
||||
}
|
||||
|
@ -1606,7 +1606,7 @@ send_status()
|
||||
ADD(IAC);
|
||||
ADD(SE);
|
||||
|
||||
writenet(statusbuf, ncp - statusbuf);
|
||||
output_datalen(statusbuf, ncp - statusbuf);
|
||||
netflush(); /* Send it on its way */
|
||||
|
||||
DIAG(TD_OPTIONS,
|
||||
@ -1631,7 +1631,7 @@ output_data(const char *format, ...)
|
||||
remaining = BUFSIZ - (nfrontp - netobuf);
|
||||
}
|
||||
ret = vsnprintf(nfrontp, remaining, format, args);
|
||||
nfrontp += ((ret < remaining - 1) ? ret : remaining - 1);
|
||||
nfrontp += (ret < remaining) ? ret : remaining;
|
||||
va_end(args);
|
||||
return ret;
|
||||
}
|
||||
@ -1645,9 +1645,9 @@ output_datalen(const char *buf, size_t len)
|
||||
if (remaining < len) {
|
||||
netflush();
|
||||
remaining = BUFSIZ - (nfrontp - netobuf);
|
||||
}
|
||||
if (remaining < len)
|
||||
return -1;
|
||||
}
|
||||
memmove(nfrontp, buf, len);
|
||||
nfrontp += len;
|
||||
return (len);
|
||||
|
@ -317,33 +317,6 @@ netflush()
|
||||
} /* end of netflush */
|
||||
|
||||
|
||||
/*
|
||||
* writenet
|
||||
*
|
||||
* Just a handy little function to write a bit of raw data to the net.
|
||||
* It will force a transmit of the buffer if necessary
|
||||
*
|
||||
* arguments
|
||||
* ptr - A pointer to a character string to write
|
||||
* len - How many bytes to write
|
||||
*/
|
||||
void
|
||||
writenet(ptr, len)
|
||||
register unsigned char *ptr;
|
||||
register int len;
|
||||
{
|
||||
/* flush buffer if no room for new data) */
|
||||
if ((&netobuf[BUFSIZ] - nfrontp) < len) {
|
||||
/* if this fails, don't worry, buffer is a little big */
|
||||
netflush();
|
||||
}
|
||||
|
||||
memmove(nfrontp, ptr, len);
|
||||
nfrontp += len;
|
||||
|
||||
} /* end of writenet */
|
||||
|
||||
|
||||
/*
|
||||
* miscellaneous functions doing a variety of little jobs follow ...
|
||||
*/
|
||||
|
@ -74,7 +74,7 @@ extern char ptyobuf[BUFSIZ+NETSLOP], *pfrontp, *pbackp;
|
||||
|
||||
extern char netibuf[BUFSIZ], *netip;
|
||||
|
||||
extern char netobuf[BUFSIZ+NETSLOP], *nfrontp, *nbackp;
|
||||
extern char netobuf[BUFSIZ], *nfrontp, *nbackp;
|
||||
extern char *neturg; /* one past last bye of urgent data */
|
||||
|
||||
extern int pcc, ncc;
|
||||
@ -187,8 +187,7 @@ extern void
|
||||
tty_setsofttab P((int)),
|
||||
tty_tspeed P((int)),
|
||||
willoption P((int)),
|
||||
wontoption P((int)),
|
||||
writenet P((unsigned char *, int));
|
||||
wontoption P((int));
|
||||
|
||||
int output_data __P((const char *, ...)) __printflike(1, 2);
|
||||
int output_datalen __P((const char *, size_t));
|
||||
|
@ -204,7 +204,7 @@ end_slc(bufp)
|
||||
(void) sprintf((char *)slcptr, "%c%c", IAC, SE);
|
||||
slcptr += 2;
|
||||
len = slcptr - slcbuf;
|
||||
writenet(slcbuf, len);
|
||||
output_datalen(slcbuf, len);
|
||||
netflush(); /* force it out immediately */
|
||||
DIAG(TD_OPTIONS, printsub('>', slcbuf+2, len-2););
|
||||
}
|
||||
|
@ -1606,7 +1606,7 @@ send_status()
|
||||
ADD(IAC);
|
||||
ADD(SE);
|
||||
|
||||
writenet(statusbuf, ncp - statusbuf);
|
||||
output_datalen(statusbuf, ncp - statusbuf);
|
||||
netflush(); /* Send it on its way */
|
||||
|
||||
DIAG(TD_OPTIONS,
|
||||
@ -1631,7 +1631,7 @@ output_data(const char *format, ...)
|
||||
remaining = BUFSIZ - (nfrontp - netobuf);
|
||||
}
|
||||
ret = vsnprintf(nfrontp, remaining, format, args);
|
||||
nfrontp += ((ret < remaining - 1) ? ret : remaining - 1);
|
||||
nfrontp += (ret < remaining) ? ret : remaining;
|
||||
va_end(args);
|
||||
return ret;
|
||||
}
|
||||
@ -1645,9 +1645,9 @@ output_datalen(const char *buf, size_t len)
|
||||
if (remaining < len) {
|
||||
netflush();
|
||||
remaining = BUFSIZ - (nfrontp - netobuf);
|
||||
}
|
||||
if (remaining < len)
|
||||
return -1;
|
||||
}
|
||||
memmove(nfrontp, buf, len);
|
||||
nfrontp += len;
|
||||
return (len);
|
||||
|
@ -317,33 +317,6 @@ netflush()
|
||||
} /* end of netflush */
|
||||
|
||||
|
||||
/*
|
||||
* writenet
|
||||
*
|
||||
* Just a handy little function to write a bit of raw data to the net.
|
||||
* It will force a transmit of the buffer if necessary
|
||||
*
|
||||
* arguments
|
||||
* ptr - A pointer to a character string to write
|
||||
* len - How many bytes to write
|
||||
*/
|
||||
void
|
||||
writenet(ptr, len)
|
||||
register unsigned char *ptr;
|
||||
register int len;
|
||||
{
|
||||
/* flush buffer if no room for new data) */
|
||||
if ((&netobuf[BUFSIZ] - nfrontp) < len) {
|
||||
/* if this fails, don't worry, buffer is a little big */
|
||||
netflush();
|
||||
}
|
||||
|
||||
memmove(nfrontp, ptr, len);
|
||||
nfrontp += len;
|
||||
|
||||
} /* end of writenet */
|
||||
|
||||
|
||||
/*
|
||||
* miscellaneous functions doing a variety of little jobs follow ...
|
||||
*/
|
||||
|
Loading…
Reference in New Issue
Block a user