[src/netbsd-3]: src/usr.bin/telnet Pull up revision 1.30 (requested by tron i...

[he <he%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/75c9388a0e80
branches:  netbsd-3
changeset: 575313:75c9388a0e80
user:      he <he%NetBSD.org@localhost>
date:      Fri Apr 08 15:37:43 2005 +0000

description:
Pull up revision 1.30 (requested by tron in ticket #124):
  Plug buffer overflows, ref. CAN 2005-0468 and 2005-0469.
  Patch from MIT/Kerberos (MITKRB5-SA-2005-001-telnet.txt).

diffstat:

 usr.bin/telnet/telnet.c |  26 +++++++++++++++-----------
 1 files changed, 15 insertions(+), 11 deletions(-)

diffs (79 lines):

diff -r 1b762345129a -r 75c9388a0e80 usr.bin/telnet/telnet.c
--- a/usr.bin/telnet/telnet.c   Fri Apr 08 13:41:48 2005 +0000
+++ b/usr.bin/telnet/telnet.c   Fri Apr 08 15:37:43 2005 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: telnet.c,v 1.29 2004/11/04 07:22:47 dsl Exp $  */
+/*     $NetBSD: telnet.c,v 1.29.2.1 2005/04/08 15:37:43 he Exp $       */
 
 /*
  * Copyright (c) 1988, 1990, 1993
@@ -34,7 +34,7 @@
 #if 0
 static char sccsid[] = "@(#)telnet.c   8.4 (Berkeley) 5/30/95";
 #else
-__RCSID("$NetBSD: telnet.c,v 1.29 2004/11/04 07:22:47 dsl Exp $");
+__RCSID("$NetBSD: telnet.c,v 1.29.2.1 2005/04/08 15:37:43 he Exp $");
 #endif
 #endif /* not lint */
 
@@ -1440,6 +1440,8 @@
 void
 slc_add_reply(unsigned int func, unsigned int flags, cc_t value)
 {
+       if ((slc_replyp - slc_reply) + 6 > sizeof(slc_reply))
+               return;
        if ((*slc_replyp++ = func) == IAC)
                *slc_replyp++ = IAC;
        if ((*slc_replyp++ = flags) == IAC)
@@ -1453,11 +1455,12 @@
 {
     int len;
 
+    len = slc_replyp - slc_reply;
+    if (len <= 4 || (len + 2 > sizeof(slc_reply)))
+       return;
     *slc_replyp++ = IAC;
     *slc_replyp++ = SE;
-    len = slc_replyp - slc_reply;
-    if (len <= 6)
-       return;
+    len += 2;
     if (NETROOM() > len) {
        ring_supply_data(&netoring, slc_reply, slc_replyp - slc_reply);
        printsub('>', &slc_reply[2], slc_replyp - slc_reply - 2);
@@ -1612,6 +1615,7 @@
 env_opt_add(unsigned char *ep)
 {
        unsigned char *vp, c;
+       unsigned int len, olen, elen;
 
        if (opt_reply == NULL)          /*XXX*/
                return;                 /*XXX*/
@@ -1629,13 +1633,13 @@
                return;
        }
        vp = env_getvalue(ep);
-       if (opt_replyp + (vp ? strlen((char *)vp) : 0) +
-                               strlen((char *)ep) + 6 > opt_replyend)
+       elen = 2 * (vp ? strlen((char *)vp) : 0) +
+               2 * strlen((char *)ep) + 6;
+       if ((opt_replyend - opt_replyp) < elen)
        {
-               int len;
                unsigned char *p;
-               opt_replyend += OPT_REPLY_SIZE;
-               len = opt_replyend - opt_reply;
+               len = opt_replyend - opt_reply + elen;
+               olen = opt_replyp - opt_reply;
                p = (unsigned char *)realloc(opt_reply, len);
                if (p == NULL)
                        free(opt_reply);
@@ -1645,7 +1649,7 @@
                        opt_reply = opt_replyp = opt_replyend = NULL;
                        return;
                }
-               opt_replyp = opt_reply + len - (opt_replyend - opt_replyp);
+               opt_replyp = opt_reply + olen;
                opt_replyend = opt_reply + len;
        }
        if (opt_welldefined(ep))