diff options
author | ru <ru@FreeBSD.org> | 2001-07-20 12:02:30 +0000 |
---|---|---|
committer | ru <ru@FreeBSD.org> | 2001-07-20 12:02:30 +0000 |
commit | 4b023c5a9f160b15b1ae45ac500512e1209b8c02 (patch) | |
tree | 423ada7eed1633a885efca42128ef9d5203034c1 /contrib/telnet/telnetd | |
parent | 719efadfd6a1b229021ba4ba691e87765dea919b (diff) | |
download | FreeBSD-src-4b023c5a9f160b15b1ae45ac500512e1209b8c02.zip FreeBSD-src-4b023c5a9f160b15b1ae45ac500512e1209b8c02.tar.gz |
More potential buffer overflow fixes.
o Fixed `nfrontp' calculations in output_data(). If `remaining' is
initially zero, it was possible for `nfrontp' to be decremented.
Noticed by: dillon
o Replaced leaking writenet() with output_datalen():
: * writenet
: *
: * Just a handy little function to write a bit of raw data to the net.
: * It will force a transmit of the buffer if necessary
: *
: * arguments
: * ptr - A pointer to a character string to write
: * len - How many bytes to write
: */
: void
: writenet(ptr, len)
: register unsigned char *ptr;
: register int len;
: {
: /* flush buffer if no room for new data) */
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
: if ((&netobuf[BUFSIZ] - nfrontp) < len) {
: /* if this fails, don't worry, buffer is a little big */
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
: netflush();
: }
:
: memmove(nfrontp, ptr, len);
: nfrontp += len;
:
: } /* end of writenet */
What an irony! :-)
o Optimized output_datalen() a bit.
Diffstat (limited to 'contrib/telnet/telnetd')
-rw-r--r-- | contrib/telnet/telnetd/ext.h | 5 | ||||
-rw-r--r-- | contrib/telnet/telnetd/slc.c | 2 | ||||
-rw-r--r-- | contrib/telnet/telnetd/state.c | 8 | ||||
-rw-r--r-- | contrib/telnet/telnetd/utility.c | 27 |
4 files changed, 7 insertions, 35 deletions
diff --git a/contrib/telnet/telnetd/ext.h b/contrib/telnet/telnetd/ext.h index f1bb02a..74dd985 100644 --- a/contrib/telnet/telnetd/ext.h +++ b/contrib/telnet/telnetd/ext.h @@ -74,7 +74,7 @@ extern char ptyobuf[BUFSIZ+NETSLOP], *pfrontp, *pbackp; extern char netibuf[BUFSIZ], *netip; -extern char netobuf[BUFSIZ+NETSLOP], *nfrontp, *nbackp; +extern char netobuf[BUFSIZ], *nfrontp, *nbackp; extern char *neturg; /* one past last bye of urgent data */ extern int pcc, ncc; @@ -187,8 +187,7 @@ extern void tty_setsofttab P((int)), tty_tspeed P((int)), willoption P((int)), - wontoption P((int)), - writenet P((unsigned char *, int)); + wontoption P((int)); int output_data __P((const char *, ...)) __printflike(1, 2); int output_datalen __P((const char *, size_t)); diff --git a/contrib/telnet/telnetd/slc.c b/contrib/telnet/telnetd/slc.c index 65dc689..01c4258 100644 --- a/contrib/telnet/telnetd/slc.c +++ b/contrib/telnet/telnetd/slc.c @@ -204,7 +204,7 @@ end_slc(bufp) (void) sprintf((char *)slcptr, "%c%c", IAC, SE); slcptr += 2; len = slcptr - slcbuf; - writenet(slcbuf, len); + output_datalen(slcbuf, len); netflush(); /* force it out immediately */ DIAG(TD_OPTIONS, printsub('>', slcbuf+2, len-2);); } diff --git a/contrib/telnet/telnetd/state.c b/contrib/telnet/telnetd/state.c index 1346c95..1b9372c 100644 --- a/contrib/telnet/telnetd/state.c +++ b/contrib/telnet/telnetd/state.c @@ -1606,7 +1606,7 @@ send_status() ADD(IAC); ADD(SE); - writenet(statusbuf, ncp - statusbuf); + output_datalen(statusbuf, ncp - statusbuf); netflush(); /* Send it on its way */ DIAG(TD_OPTIONS, @@ -1631,7 +1631,7 @@ output_data(const char *format, ...) remaining = BUFSIZ - (nfrontp - netobuf); } ret = vsnprintf(nfrontp, remaining, format, args); - nfrontp += ((ret < remaining - 1) ? ret : remaining - 1); + nfrontp += (ret < remaining) ? ret : remaining; va_end(args); return ret; } @@ -1645,9 +1645,9 @@ output_datalen(const char *buf, size_t len) if (remaining < len) { netflush(); remaining = BUFSIZ - (nfrontp - netobuf); + if (remaining < len) + return -1; } - if (remaining < len) - return -1; memmove(nfrontp, buf, len); nfrontp += len; return (len); diff --git a/contrib/telnet/telnetd/utility.c b/contrib/telnet/telnetd/utility.c index aa85d7a..d59657f 100644 --- a/contrib/telnet/telnetd/utility.c +++ b/contrib/telnet/telnetd/utility.c @@ -318,33 +318,6 @@ netflush() /* - * writenet - * - * Just a handy little function to write a bit of raw data to the net. - * It will force a transmit of the buffer if necessary - * - * arguments - * ptr - A pointer to a character string to write - * len - How many bytes to write - */ - void -writenet(ptr, len) - register unsigned char *ptr; - register int len; -{ - /* flush buffer if no room for new data) */ - if ((&netobuf[BUFSIZ] - nfrontp) < len) { - /* if this fails, don't worry, buffer is a little big */ - netflush(); - } - - memmove(nfrontp, ptr, len); - nfrontp += len; - -} /* end of writenet */ - - -/* * miscellaneous functions doing a variety of little jobs follow ... */ |