Catch any attempted buffer overflows. The magic numbers in this code
(512) are a little distressing, but the method really needs to be extended to allow server-supplied DH parameters anyway. Submitted by: kris git-svn-id: http://svn0.us-east.freebsd.org/base/head/contrib/telnet@76690 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
This commit is contained in:
parent
ebece97cb0
commit
0a0c02d634
|
@ -90,9 +90,9 @@ int server;
|
|||
str_data[3] = TELQUAL_IS;
|
||||
|
||||
user = (char *)malloc(256);
|
||||
xuser = (char *)malloc(512);
|
||||
xuser = (char *)malloc(513);
|
||||
pass = (char *)malloc(256);
|
||||
xpass = (char *)malloc(512);
|
||||
xpass = (char *)malloc(513);
|
||||
|
||||
if (user == NULL || xuser == NULL || pass == NULL || xpass ==
|
||||
NULL)
|
||||
|
@ -158,6 +158,8 @@ int cnt;
|
|||
|
||||
case SRA_USER:
|
||||
/* decode KAB(u) */
|
||||
if (cnt > 512) /* Attempted buffer overflow */
|
||||
break;
|
||||
memcpy(xuser,data,cnt);
|
||||
xuser[cnt] = '\0';
|
||||
pk_decode(xuser,user,&ck);
|
||||
|
@ -167,6 +169,8 @@ int cnt;
|
|||
break;
|
||||
|
||||
case SRA_PASS:
|
||||
if (cnt > 512) /* Attempted buffer overflow */
|
||||
break;
|
||||
/* decode KAB(P) */
|
||||
memcpy(xpass,data,cnt);
|
||||
xpass[cnt] = '\0';
|
||||
|
|
Loading…
Reference in New Issue