summaryrefslogtreecommitdiffstats
path: root/contrib/telnet/telnetd
diff options
context:
space:
mode:
authorru <ru@FreeBSD.org>2001-07-20 12:02:30 +0000
committerru <ru@FreeBSD.org>2001-07-20 12:02:30 +0000
commit4b023c5a9f160b15b1ae45ac500512e1209b8c02 (patch)
tree423ada7eed1633a885efca42128ef9d5203034c1 /contrib/telnet/telnetd
parent719efadfd6a1b229021ba4ba691e87765dea919b (diff)
downloadFreeBSD-src-4b023c5a9f160b15b1ae45ac500512e1209b8c02.zip
FreeBSD-src-4b023c5a9f160b15b1ae45ac500512e1209b8c02.tar.gz
More potential buffer overflow fixes.
o Fixed `nfrontp' calculations in output_data(). If `remaining' is initially zero, it was possible for `nfrontp' to be decremented. Noticed by: dillon o Replaced leaking writenet() with output_datalen(): : * writenet : * : * Just a handy little function to write a bit of raw data to the net. : * It will force a transmit of the buffer if necessary : * : * arguments : * ptr - A pointer to a character string to write : * len - How many bytes to write : */ : void : writenet(ptr, len) : register unsigned char *ptr; : register int len; : { : /* flush buffer if no room for new data) */ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ : if ((&netobuf[BUFSIZ] - nfrontp) < len) { : /* if this fails, don't worry, buffer is a little big */ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ : netflush(); : } : : memmove(nfrontp, ptr, len); : nfrontp += len; : : } /* end of writenet */ What an irony! :-) o Optimized output_datalen() a bit.
Diffstat (limited to 'contrib/telnet/telnetd')
-rw-r--r--contrib/telnet/telnetd/ext.h5
-rw-r--r--contrib/telnet/telnetd/slc.c2
-rw-r--r--contrib/telnet/telnetd/state.c8
-rw-r--r--contrib/telnet/telnetd/utility.c27
4 files changed, 7 insertions, 35 deletions
diff --git a/contrib/telnet/telnetd/ext.h b/contrib/telnet/telnetd/ext.h
index f1bb02a..74dd985 100644
--- a/contrib/telnet/telnetd/ext.h
+++ b/contrib/telnet/telnetd/ext.h
@@ -74,7 +74,7 @@ extern char ptyobuf[BUFSIZ+NETSLOP], *pfrontp, *pbackp;
extern char netibuf[BUFSIZ], *netip;
-extern char netobuf[BUFSIZ+NETSLOP], *nfrontp, *nbackp;
+extern char netobuf[BUFSIZ], *nfrontp, *nbackp;
extern char *neturg; /* one past last bye of urgent data */
extern int pcc, ncc;
@@ -187,8 +187,7 @@ extern void
tty_setsofttab P((int)),
tty_tspeed P((int)),
willoption P((int)),
- wontoption P((int)),
- writenet P((unsigned char *, int));
+ wontoption P((int));
int output_data __P((const char *, ...)) __printflike(1, 2);
int output_datalen __P((const char *, size_t));
diff --git a/contrib/telnet/telnetd/slc.c b/contrib/telnet/telnetd/slc.c
index 65dc689..01c4258 100644
--- a/contrib/telnet/telnetd/slc.c
+++ b/contrib/telnet/telnetd/slc.c
@@ -204,7 +204,7 @@ end_slc(bufp)
(void) sprintf((char *)slcptr, "%c%c", IAC, SE);
slcptr += 2;
len = slcptr - slcbuf;
- writenet(slcbuf, len);
+ output_datalen(slcbuf, len);
netflush(); /* force it out immediately */
DIAG(TD_OPTIONS, printsub('>', slcbuf+2, len-2););
}
diff --git a/contrib/telnet/telnetd/state.c b/contrib/telnet/telnetd/state.c
index 1346c95..1b9372c 100644
--- a/contrib/telnet/telnetd/state.c
+++ b/contrib/telnet/telnetd/state.c
@@ -1606,7 +1606,7 @@ send_status()
ADD(IAC);
ADD(SE);
- writenet(statusbuf, ncp - statusbuf);
+ output_datalen(statusbuf, ncp - statusbuf);
netflush(); /* Send it on its way */
DIAG(TD_OPTIONS,
@@ -1631,7 +1631,7 @@ output_data(const char *format, ...)
remaining = BUFSIZ - (nfrontp - netobuf);
}
ret = vsnprintf(nfrontp, remaining, format, args);
- nfrontp += ((ret < remaining - 1) ? ret : remaining - 1);
+ nfrontp += (ret < remaining) ? ret : remaining;
va_end(args);
return ret;
}
@@ -1645,9 +1645,9 @@ output_datalen(const char *buf, size_t len)
if (remaining < len) {
netflush();
remaining = BUFSIZ - (nfrontp - netobuf);
+ if (remaining < len)
+ return -1;
}
- if (remaining < len)
- return -1;
memmove(nfrontp, buf, len);
nfrontp += len;
return (len);
diff --git a/contrib/telnet/telnetd/utility.c b/contrib/telnet/telnetd/utility.c
index aa85d7a..d59657f 100644
--- a/contrib/telnet/telnetd/utility.c
+++ b/contrib/telnet/telnetd/utility.c
@@ -318,33 +318,6 @@ netflush()
/*
- * writenet
- *
- * Just a handy little function to write a bit of raw data to the net.
- * It will force a transmit of the buffer if necessary
- *
- * arguments
- * ptr - A pointer to a character string to write
- * len - How many bytes to write
- */
- void
-writenet(ptr, len)
- register unsigned char *ptr;
- register int len;
-{
- /* flush buffer if no room for new data) */
- if ((&netobuf[BUFSIZ] - nfrontp) < len) {
- /* if this fails, don't worry, buffer is a little big */
- netflush();
- }
-
- memmove(nfrontp, ptr, len);
- nfrontp += len;
-
-} /* end of writenet */
-
-
-/*
* miscellaneous functions doing a variety of little jobs follow ...
*/
OpenPOWER on IntegriCloud