Merge r309638 from head:

  When telnetd(8) composes argument list for login(1), an unexpected sequence
  of memory allocation failures combined with insufficient error checking
  could result in the construction and execution of an argument sequence that
  was not intended.

  Fix that treating malloc(3) failures as fatal condition.

Submitted by:	brooks
Security:	FreeBSD-SA-16:36.telnetd

1 files changed, 4 insertions, 3 deletions

diff --git a/contrib/telnet/telnetd/sys_term.c b/contrib/telnet/telnetd/sys_term.c
index f9b9461..a2e551f 100644
--- a/contrib/telnet/telnetd/sys_term.c
+++ b/contrib/telnet/telnetd/sys_term.c
@@ -1159,7 +1159,7 @@ addarg(char **argv, const char *val)
 		 */
 		argv = (char **)malloc(sizeof(*argv) * 12);
 		if (argv == NULL)
-			return(NULL);
+			fatal(net, "failure allocating argument space");
 		*argv++ = (char *)10;
 		*argv = (char *)0;
 	}
@@ -1170,11 +1170,12 @@ addarg(char **argv, const char *val)
 		*argv = (char *)((long)(*argv) + 10);
 		argv = (char **)realloc(argv, sizeof(*argv)*((long)(*argv) + 2));
 		if (argv == NULL)
-			return(NULL);
+			fatal(net, "failure allocating argument space");
 		argv++;
 		cpp = &argv[(long)argv[-1] - 10];
 	}
-	*cpp++ = strdup(val);
+	if ((*cpp++ = strdup(val)) == NULL)
+		fatal(net, "failure allocating argument space");
 	*cpp = 0;
 	return(argv);
 }