Fixed the exploitable remote buffer overflow.

Reported on: bugtraq Obtained from: Heimdal, NetBSD Reviewed by: obrien, imp
author: ru <ru@FreeBSD.org> 2001-07-19 17:48:57 +0000
committer: ru <ru@FreeBSD.org> 2001-07-19 17:48:57 +0000
commit: 9cac33d71fc5f6846362da63a753c08e90efa427 (patch)
tree: be1f96775e90a28babf09a5748699e16c80568d6 /crypto/telnet/telnetd/termstat.c
parent: 32934481938551563374cb61f766b1f332377ee6 (diff)
download: FreeBSD-src-9cac33d71fc5f6846362da63a753c08e90efa427.zip
FreeBSD-src-9cac33d71fc5f6846362da63a753c08e90efa427.tar.gz
1 files changed, 6 insertions, 12 deletions
diff --git a/crypto/telnet/telnetd/termstat.c b/crypto/telnet/telnetd/termstat.c
index e94720c..30230d4 100644
--- a/crypto/telnet/telnetd/termstat.c
+++ b/crypto/telnet/telnetd/termstat.c
@@ -302,10 +302,9 @@ localstat()
 # endif	/* KLUDGELINEMODE */
 			send_do(TELOPT_LINEMODE, 1);
 			/* send along edit modes */
-			(void) sprintf(nfrontp, "%c%c%c%c%c%c%c", IAC, SB,
+			output_data("%c%c%c%c%c%c%c", IAC, SB,
 				TELOPT_LINEMODE, LM_MODE, useeditmode,
 				IAC, SE);
-			nfrontp += 7;
 			editmode = useeditmode;
 # ifdef	KLUDGELINEMODE
 		}
@@ -331,10 +330,9 @@ localstat()
 			/*
 			 * Send along appropriate edit mode mask.
 			 */
-			(void) sprintf(nfrontp, "%c%c%c%c%c%c%c", IAC, SB,
+			output_data("%c%c%c%c%c%c%c", IAC, SB,
 				TELOPT_LINEMODE, LM_MODE, useeditmode,
 				IAC, SE);
-			nfrontp += 7;
 			editmode = useeditmode;
 		}
 
@@ -378,20 +376,18 @@ flowstat()
 	if (his_state_is_will(TELOPT_LFLOW)) {
 		if (tty_flowmode() != flowmode) {
 			flowmode = tty_flowmode();
-			(void) sprintf(nfrontp, "%c%c%c%c%c%c",
+			output_data("%c%c%c%c%c%c",
 					IAC, SB, TELOPT_LFLOW,
 					flowmode ? LFLOW_ON : LFLOW_OFF,
 					IAC, SE);
-			nfrontp += 6;
 		}
 		if (tty_restartany() != restartany) {
 			restartany = tty_restartany();
-			(void) sprintf(nfrontp, "%c%c%c%c%c%c",
+			output_data("%c%c%c%c%c%c",
 					IAC, SB, TELOPT_LFLOW,
 					restartany ? LFLOW_RESTART_ANY
 						   : LFLOW_RESTART_XON,
 					IAC, SE);
-			nfrontp += 6;
 		}
 	}
 }
@@ -464,10 +460,9 @@ clientstat(code, parm1, parm2)
 					useeditmode |= MODE_SOFT_TAB;
 				if (tty_islitecho())
 					useeditmode |= MODE_LIT_ECHO;
-				(void) sprintf(nfrontp, "%c%c%c%c%c%c%c", IAC,
+				output_data("%c%c%c%c%c%c%c", IAC,
 					SB, TELOPT_LINEMODE, LM_MODE,
 							useeditmode, IAC, SE);
-				nfrontp += 7;
 				editmode = useeditmode;
 			}
 
@@ -523,11 +518,10 @@ clientstat(code, parm1, parm2)
 			set_termbuf();
 
  			if (!ack) {
- 				(void) sprintf(nfrontp, "%c%c%c%c%c%c%c", IAC,
+				output_data("%c%c%c%c%c%c%c", IAC,
 					SB, TELOPT_LINEMODE, LM_MODE,
  					useeditmode|MODE_ACK,
  					IAC, SE);
- 				nfrontp += 7;
  			}
 
 			editmode = useeditmode;
author	ru <ru@FreeBSD.org>	2001-07-19 17:48:57 +0000
committer	ru <ru@FreeBSD.org>	2001-07-19 17:48:57 +0000
commit	9cac33d71fc5f6846362da63a753c08e90efa427 (patch)
tree	be1f96775e90a28babf09a5748699e16c80568d6 /crypto/telnet/telnetd/termstat.c
parent	32934481938551563374cb61f766b1f332377ee6 (diff)
download	FreeBSD-src-9cac33d71fc5f6846362da63a753c08e90efa427.zip FreeBSD-src-9cac33d71fc5f6846362da63a753c08e90efa427.tar.gz