summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authornsayer <nsayer@FreeBSD.org>2001-05-16 18:27:09 +0000
committernsayer <nsayer@FreeBSD.org>2001-05-16 18:27:09 +0000
commitca01fb27dc03aff905825f3a18debbf67655f820 (patch)
tree96ec947d60314a067a7749f1c4eadbc8f699a8a8
parentce94eedfd7bd26a15c6f1b0f9484bbade3510f74 (diff)
downloadFreeBSD-src-ca01fb27dc03aff905825f3a18debbf67655f820.zip
FreeBSD-src-ca01fb27dc03aff905825f3a18debbf67655f820.tar.gz
Catch any attempted buffer overflows. The magic numbers in this code
(512) are a little distressing, but the method really needs to be extended to allow server-supplied DH parameters anyway. Submitted by: kris
-rw-r--r--contrib/telnet/libtelnet/sra.c8
-rw-r--r--crypto/telnet/libtelnet/sra.c8
2 files changed, 12 insertions, 4 deletions
diff --git a/contrib/telnet/libtelnet/sra.c b/contrib/telnet/libtelnet/sra.c
index 0d49453..a77b2f2 100644
--- a/contrib/telnet/libtelnet/sra.c
+++ b/contrib/telnet/libtelnet/sra.c
@@ -90,9 +90,9 @@ int server;
str_data[3] = TELQUAL_IS;
user = (char *)malloc(256);
- xuser = (char *)malloc(512);
+ xuser = (char *)malloc(513);
pass = (char *)malloc(256);
- xpass = (char *)malloc(512);
+ xpass = (char *)malloc(513);
if (user == NULL || xuser == NULL || pass == NULL || xpass ==
NULL)
@@ -158,6 +158,8 @@ int cnt;
case SRA_USER:
/* decode KAB(u) */
+ if (cnt > 512) /* Attempted buffer overflow */
+ break;
memcpy(xuser,data,cnt);
xuser[cnt] = '\0';
pk_decode(xuser,user,&ck);
@@ -167,6 +169,8 @@ int cnt;
break;
case SRA_PASS:
+ if (cnt > 512) /* Attempted buffer overflow */
+ break;
/* decode KAB(P) */
memcpy(xpass,data,cnt);
xpass[cnt] = '\0';
diff --git a/crypto/telnet/libtelnet/sra.c b/crypto/telnet/libtelnet/sra.c
index 0d49453..a77b2f2 100644
--- a/crypto/telnet/libtelnet/sra.c
+++ b/crypto/telnet/libtelnet/sra.c
@@ -90,9 +90,9 @@ int server;
str_data[3] = TELQUAL_IS;
user = (char *)malloc(256);
- xuser = (char *)malloc(512);
+ xuser = (char *)malloc(513);
pass = (char *)malloc(256);
- xpass = (char *)malloc(512);
+ xpass = (char *)malloc(513);
if (user == NULL || xuser == NULL || pass == NULL || xpass ==
NULL)
@@ -158,6 +158,8 @@ int cnt;
case SRA_USER:
/* decode KAB(u) */
+ if (cnt > 512) /* Attempted buffer overflow */
+ break;
memcpy(xuser,data,cnt);
xuser[cnt] = '\0';
pk_decode(xuser,user,&ck);
@@ -167,6 +169,8 @@ int cnt;
break;
case SRA_PASS:
+ if (cnt > 512) /* Attempted buffer overflow */
+ break;
/* decode KAB(P) */
memcpy(xpass,data,cnt);
xpass[cnt] = '\0';
OpenPOWER on IntegriCloud