diff options
author | glebius <glebius@FreeBSD.org> | 2016-12-06 18:52:18 +0000 |
---|---|---|
committer | glebius <glebius@FreeBSD.org> | 2016-12-06 18:52:18 +0000 |
commit | d50c6c5b00e248bc0ebd39164e5b7d56af49d701 (patch) | |
tree | a2c5d8b9ae39bb49bcc7c94a0ecc2d8138a70552 /contrib/telnet | |
parent | 930618cc2cb81648a1e52b8ed4c8300cee4599e2 (diff) | |
download | FreeBSD-src-d50c6c5b00e248bc0ebd39164e5b7d56af49d701.zip FreeBSD-src-d50c6c5b00e248bc0ebd39164e5b7d56af49d701.tar.gz |
Merge r309638 from head:
When telnetd(8) composes argument list for login(1), an unexpected sequence
of memory allocation failures combined with insufficient error checking
could result in the construction and execution of an argument sequence that
was not intended.
Fix that treating malloc(3) failures as fatal condition.
Submitted by: brooks
Security: FreeBSD-SA-16:36.telnetd
Diffstat (limited to 'contrib/telnet')
-rw-r--r-- | contrib/telnet/telnetd/sys_term.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/contrib/telnet/telnetd/sys_term.c b/contrib/telnet/telnetd/sys_term.c index f9b9461..a2e551f 100644 --- a/contrib/telnet/telnetd/sys_term.c +++ b/contrib/telnet/telnetd/sys_term.c @@ -1159,7 +1159,7 @@ addarg(char **argv, const char *val) */ argv = (char **)malloc(sizeof(*argv) * 12); if (argv == NULL) - return(NULL); + fatal(net, "failure allocating argument space"); *argv++ = (char *)10; *argv = (char *)0; } @@ -1170,11 +1170,12 @@ addarg(char **argv, const char *val) *argv = (char *)((long)(*argv) + 10); argv = (char **)realloc(argv, sizeof(*argv)*((long)(*argv) + 2)); if (argv == NULL) - return(NULL); + fatal(net, "failure allocating argument space"); argv++; cpp = &argv[(long)argv[-1] - 10]; } - *cpp++ = strdup(val); + if ((*cpp++ = strdup(val)) == NULL) + fatal(net, "failure allocating argument space"); *cpp = 0; return(argv); } |