From 0a0c02d634676cd54edecf5eb973ba0d9a4be6b2 Mon Sep 17 00:00:00 2001
From: nsayer <nsayer@ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f>
Date: Wed, 16 May 2001 18:27:09 +0000
Subject: [PATCH] Catch any attempted buffer overflows. The magic numbers in
 this code (512) are a little distressing, but the method really needs to be
 extended to allow server-supplied DH parameters anyway.

Submitted by:	kris


git-svn-id: http://svn0.us-east.freebsd.org/base/head/contrib/telnet@76690 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
---
 libtelnet/sra.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/libtelnet/sra.c b/libtelnet/sra.c
index 0d49453..a77b2f2 100644
--- a/libtelnet/sra.c
+++ b/libtelnet/sra.c
@@ -90,9 +90,9 @@ int server;
 		str_data[3] = TELQUAL_IS;
 
 	user = (char *)malloc(256);
-	xuser = (char *)malloc(512);
+	xuser = (char *)malloc(513);
 	pass = (char *)malloc(256);
-	xpass = (char *)malloc(512);
+	xpass = (char *)malloc(513);
 
 	if (user == NULL || xuser == NULL || pass == NULL || xpass ==
 	NULL)
@@ -158,6 +158,8 @@ int cnt;
 
 	case SRA_USER:
 		/* decode KAB(u) */
+		if (cnt > 512) /* Attempted buffer overflow */
+			break;
 		memcpy(xuser,data,cnt);
 		xuser[cnt] = '\0';
 		pk_decode(xuser,user,&ck);
@@ -167,6 +169,8 @@ int cnt;
 		break;
 
 	case SRA_PASS:
+		if (cnt > 512) /* Attempted buffer overflow */
+			break;
 		/* decode KAB(P) */
 		memcpy(xpass,data,cnt);
 		xpass[cnt] = '\0';