From ca01fb27dc03aff905825f3a18debbf67655f820 Mon Sep 17 00:00:00 2001
From: nsayer <nsayer@FreeBSD.org>
Date: Wed, 16 May 2001 18:27:09 +0000
Subject: Catch any attempted buffer overflows. The magic numbers in this code
 (512) are a little distressing, but the method really needs to be extended to
 allow server-supplied DH parameters anyway.

Submitted by:	kris
---
 crypto/telnet/libtelnet/sra.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'crypto/telnet')

diff --git a/crypto/telnet/libtelnet/sra.c b/crypto/telnet/libtelnet/sra.c
index 0d49453..a77b2f2 100644
--- a/crypto/telnet/libtelnet/sra.c
+++ b/crypto/telnet/libtelnet/sra.c
@@ -90,9 +90,9 @@ int server;
 		str_data[3] = TELQUAL_IS;
 
 	user = (char *)malloc(256);
-	xuser = (char *)malloc(512);
+	xuser = (char *)malloc(513);
 	pass = (char *)malloc(256);
-	xpass = (char *)malloc(512);
+	xpass = (char *)malloc(513);
 
 	if (user == NULL || xuser == NULL || pass == NULL || xpass ==
 	NULL)
@@ -158,6 +158,8 @@ int cnt;
 
 	case SRA_USER:
 		/* decode KAB(u) */
+		if (cnt > 512) /* Attempted buffer overflow */
+			break;
 		memcpy(xuser,data,cnt);
 		xuser[cnt] = '\0';
 		pk_decode(xuser,user,&ck);
@@ -167,6 +169,8 @@ int cnt;
 		break;
 
 	case SRA_PASS:
+		if (cnt > 512) /* Attempted buffer overflow */
+			break;
 		/* decode KAB(P) */
 		memcpy(xpass,data,cnt);
 		xpass[cnt] = '\0';
-- 
cgit v1.1