From d2f83e4ec488ec62281318b26dad107e65d96d0c Mon Sep 17 00:00:00 2001
From: kris <kris@FreeBSD.org>
Date: Sun, 29 Oct 2000 00:10:14 +0000
Subject: Sync with usr.bin/telnet/telnet.c r1.9 - fix buffer overflow in
 DISPLAY

---
 crypto/telnet/telnet/telnet.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

(limited to 'crypto')

diff --git a/crypto/telnet/telnet/telnet.c b/crypto/telnet/telnet/telnet.c
index 63fb9d7..36d1d21 100644
--- a/crypto/telnet/telnet/telnet.c
+++ b/crypto/telnet/telnet/telnet.c
@@ -29,6 +29,8 @@
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
+ *
+ * $FreeBSD$
  */
 
 #ifndef lint
@@ -970,16 +972,17 @@ suboption()
 	    unsigned char temp[50], *dp;
 	    int len;
 
-	    if ((dp = env_getvalue((unsigned char *)"DISPLAY")) == NULL) {
+	    if ((dp = env_getvalue((unsigned char *)"DISPLAY")) == NULL ||
+		strlen(dp) > sizeof(temp) - 7) {
 		/*
 		 * Something happened, we no longer have a DISPLAY
-		 * variable.  So, turn off the option.
+		 * variable.  Or it is too long.  So, turn off the option.
 		 */
 		send_wont(TELOPT_XDISPLOC, 1);
 		break;
 	    }
-	    sprintf((char *)temp, "%c%c%c%c%s%c%c", IAC, SB, TELOPT_XDISPLOC,
-		    TELQUAL_IS, dp, IAC, SE);
+	    snprintf((char *)temp, sizeof(temp), "%c%c%c%c%s%c%c", IAC, SB,
+		    TELOPT_XDISPLOC, TELQUAL_IS, dp, IAC, SE);
 	    len = strlen((char *)temp+4) + 4;	/* temp[3] is 0 ... */
 
 	    if (len < NETROOM()) {
-- 
cgit v1.1