From 7039a85a068b696972fcc41b36349977d9889a9a Mon Sep 17 00:00:00 2001
From: glebius <glebius@FreeBSD.org>
Date: Tue, 6 Dec 2016 18:49:48 +0000
Subject: Fix possible login(1) argument injection in telnetd(8). [SA-16:36]
 Fix link_ntoa(3) buffer overflow in libc. [SA-16:37] Fix possible escape from
 bhyve(8) virtual machine. [SA-16:38] Fix warnings about valid time zone
 abbreviations. [EN-16:19] Update timezone database information. [EN-16:20]

Security:	FreeBSD-SA-16:36.telnetd
Security:	FreeBSD-SA-16:37.libc
Security:	FreeBSD-SA-16:38.bhyve
Errata Notice:	FreeBSD-EN-16:19.tzcode
Errata Notice:	FreeBSD-EN-16:20.tzdata
Approved by:	so
---
 contrib/telnet/telnetd/sys_term.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

(limited to 'contrib')

diff --git a/contrib/telnet/telnetd/sys_term.c b/contrib/telnet/telnetd/sys_term.c
index f9b9461..a2e551f 100644
--- a/contrib/telnet/telnetd/sys_term.c
+++ b/contrib/telnet/telnetd/sys_term.c
@@ -1159,7 +1159,7 @@ addarg(char **argv, const char *val)
 		 */
 		argv = (char **)malloc(sizeof(*argv) * 12);
 		if (argv == NULL)
-			return(NULL);
+			fatal(net, "failure allocating argument space");
 		*argv++ = (char *)10;
 		*argv = (char *)0;
 	}
@@ -1170,11 +1170,12 @@ addarg(char **argv, const char *val)
 		*argv = (char *)((long)(*argv) + 10);
 		argv = (char **)realloc(argv, sizeof(*argv)*((long)(*argv) + 2));
 		if (argv == NULL)
-			return(NULL);
+			fatal(net, "failure allocating argument space");
 		argv++;
 		cpp = &argv[(long)argv[-1] - 10];
 	}
-	*cpp++ = strdup(val);
+	if ((*cpp++ = strdup(val)) == NULL)
+		fatal(net, "failure allocating argument space");
 	*cpp = 0;
 	return(argv);
 }
-- 
cgit v1.1