diff options
| author | nsayer <nsayer@FreeBSD.org> | 2001-05-16 18:27:09 +0000 |
|---|---|---|
| committer | nsayer <nsayer@FreeBSD.org> | 2001-05-16 18:27:09 +0000 |
| commit | ca01fb27dc03aff905825f3a18debbf67655f820 (patch) | |
| tree | 96ec947d60314a067a7749f1c4eadbc8f699a8a8 | |
| parent | ce94eedfd7bd26a15c6f1b0f9484bbade3510f74 (diff) | |
| download | FreeBSD-src-ca01fb27dc03aff905825f3a18debbf67655f820.zip FreeBSD-src-ca01fb27dc03aff905825f3a18debbf67655f820.tar.gz | |
Catch any attempted buffer overflows. The magic numbers in this code
(512) are a little distressing, but the method really needs to be
extended to allow server-supplied DH parameters anyway.
Submitted by: kris
| -rw-r--r-- | contrib/telnet/libtelnet/sra.c | 8 | ||||
| -rw-r--r-- | crypto/telnet/libtelnet/sra.c | 8 |
2 files changed, 12 insertions, 4 deletions
diff --git a/contrib/telnet/libtelnet/sra.c b/contrib/telnet/libtelnet/sra.c index 0d49453..a77b2f2 100644 --- a/contrib/telnet/libtelnet/sra.c +++ b/contrib/telnet/libtelnet/sra.c @@ -90,9 +90,9 @@ int server; str_data[3] = TELQUAL_IS; user = (char *)malloc(256); - xuser = (char *)malloc(512); + xuser = (char *)malloc(513); pass = (char *)malloc(256); - xpass = (char *)malloc(512); + xpass = (char *)malloc(513); if (user == NULL || xuser == NULL || pass == NULL || xpass == NULL) @@ -158,6 +158,8 @@ int cnt; case SRA_USER: /* decode KAB(u) */ + if (cnt > 512) /* Attempted buffer overflow */ + break; memcpy(xuser,data,cnt); xuser[cnt] = '\0'; pk_decode(xuser,user,&ck); @@ -167,6 +169,8 @@ int cnt; break; case SRA_PASS: + if (cnt > 512) /* Attempted buffer overflow */ + break; /* decode KAB(P) */ memcpy(xpass,data,cnt); xpass[cnt] = '\0'; diff --git a/crypto/telnet/libtelnet/sra.c b/crypto/telnet/libtelnet/sra.c index 0d49453..a77b2f2 100644 --- a/crypto/telnet/libtelnet/sra.c +++ b/crypto/telnet/libtelnet/sra.c @@ -90,9 +90,9 @@ int server; str_data[3] = TELQUAL_IS; user = (char *)malloc(256); - xuser = (char *)malloc(512); + xuser = (char *)malloc(513); pass = (char *)malloc(256); - xpass = (char *)malloc(512); + xpass = (char *)malloc(513); if (user == NULL || xuser == NULL || pass == NULL || xpass == NULL) @@ -158,6 +158,8 @@ int cnt; case SRA_USER: /* decode KAB(u) */ + if (cnt > 512) /* Attempted buffer overflow */ + break; memcpy(xuser,data,cnt); xuser[cnt] = '\0'; pk_decode(xuser,user,&ck); @@ -167,6 +169,8 @@ int cnt; break; case SRA_PASS: + if (cnt > 512) /* Attempted buffer overflow */ + break; /* decode KAB(P) */ memcpy(xpass,data,cnt); xpass[cnt] = '\0'; |
