summaryrefslogtreecommitdiffstats
path: root/usr.bin/telnet
diff options
context:
space:
mode:
authorimp <imp@FreeBSD.org>2000-09-20 23:07:04 +0000
committerimp <imp@FreeBSD.org>2000-09-20 23:07:04 +0000
commit47651a84a171cee2564b0f649161197ade4cc271 (patch)
tree81b3018a1ed6e9b26b18037e7d1f165fa2922a76 /usr.bin/telnet
parentde69fdf50b0c4a7db6616d494a19b5da4ca4a18b (diff)
downloadFreeBSD-src-47651a84a171cee2564b0f649161197ade4cc271.zip
FreeBSD-src-47651a84a171cee2564b0f649161197ade4cc271.tar.gz
Fix buffer overflow when DISPLAY is longer than 43 characters. This
is not exploitable because telnet doesn't run with elevated privs. Didn't fix all the other potential buffer overflows. Would be a good task for someone who has lots of time to carefully study each case because cut and paste solutions are dangerous for this code base. Added $FreeBSD$ in the same way that command.c did it.
Diffstat (limited to 'usr.bin/telnet')
-rw-r--r--usr.bin/telnet/telnet.c11
1 files changed, 7 insertions, 4 deletions
diff --git a/usr.bin/telnet/telnet.c b/usr.bin/telnet/telnet.c
index 8d2aa87..0cd53d7 100644
--- a/usr.bin/telnet/telnet.c
+++ b/usr.bin/telnet/telnet.c
@@ -29,6 +29,8 @@
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
+ *
+ * $FreeBSD$
*/
#ifndef lint
@@ -946,16 +948,17 @@ suboption()
unsigned char temp[50], *dp;
int len;
- if ((dp = env_getvalue((unsigned char *)"DISPLAY")) == NULL) {
+ if ((dp = env_getvalue((unsigned char *)"DISPLAY")) == NULL ||
+ strlen(dp) > sizeof(temp) - 7) {
/*
* Something happened, we no longer have a DISPLAY
- * variable. So, turn off the option.
+ * variable. Or it is too long. So, turn off the option.
*/
send_wont(TELOPT_XDISPLOC, 1);
break;
}
- sprintf((char *)temp, "%c%c%c%c%s%c%c", IAC, SB, TELOPT_XDISPLOC,
- TELQUAL_IS, dp, IAC, SE);
+ snprintf((char *)temp, sizeof(temp), "%c%c%c%c%s%c%c", IAC, SB,
+ TELOPT_XDISPLOC, TELQUAL_IS, dp, IAC, SE);
len = strlen((char *)temp+4) + 4; /* temp[3] is 0 ... */
if (len < NETROOM()) {
OpenPOWER on IntegriCloud