From 2c684cfa0729f688683d28936db7665b881bc85f Mon Sep 17 00:00:00 2001 From: ru Date: Fri, 20 Jul 2001 12:02:30 +0000 Subject: [PATCH] More potential buffer overflow fixes. o Fixed `nfrontp' calculations in output_data(). If `remaining' is initially zero, it was possible for `nfrontp' to be decremented. Noticed by: dillon o Replaced leaking writenet() with output_datalen(): : * writenet : * : * Just a handy little function to write a bit of raw data to the net. : * It will force a transmit of the buffer if necessary : * : * arguments : * ptr - A pointer to a character string to write : * len - How many bytes to write : */ : void : writenet(ptr, len) : register unsigned char *ptr; : register int len; : { : /* flush buffer if no room for new data) */ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ : if ((&netobuf[BUFSIZ] - nfrontp) < len) { : /* if this fails, don't worry, buffer is a little big */ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ : netflush(); : } : : memmove(nfrontp, ptr, len); : nfrontp += len; : : } /* end of writenet */ What an irony! :-) o Optimized output_datalen() a bit. git-svn-id: http://svn0.us-east.freebsd.org/base/head/contrib/telnet@80038 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- telnetd/ext.h | 5 ++--- telnetd/slc.c | 2 +- telnetd/state.c | 8 ++++---- telnetd/utility.c | 27 --------------------------- 4 files changed, 7 insertions(+), 35 deletions(-) diff --git a/telnetd/ext.h b/telnetd/ext.h index f1bb02a..74dd985 100644 --- a/telnetd/ext.h +++ b/telnetd/ext.h @@ -74,7 +74,7 @@ extern char ptyobuf[BUFSIZ+NETSLOP], *pfrontp, *pbackp; extern char netibuf[BUFSIZ], *netip; -extern char netobuf[BUFSIZ+NETSLOP], *nfrontp, *nbackp; +extern char netobuf[BUFSIZ], *nfrontp, *nbackp; extern char *neturg; /* one past last bye of urgent data */ extern int pcc, ncc; @@ -187,8 +187,7 @@ extern void tty_setsofttab P((int)), tty_tspeed P((int)), willoption P((int)), - wontoption P((int)), - writenet P((unsigned char *, int)); + wontoption P((int)); int output_data __P((const char *, ...)) __printflike(1, 2); int output_datalen __P((const char *, size_t)); diff --git a/telnetd/slc.c b/telnetd/slc.c index 65dc689..01c4258 100644 --- a/telnetd/slc.c +++ b/telnetd/slc.c @@ -204,7 +204,7 @@ end_slc(bufp) (void) sprintf((char *)slcptr, "%c%c", IAC, SE); slcptr += 2; len = slcptr - slcbuf; - writenet(slcbuf, len); + output_datalen(slcbuf, len); netflush(); /* force it out immediately */ DIAG(TD_OPTIONS, printsub('>', slcbuf+2, len-2);); } diff --git a/telnetd/state.c b/telnetd/state.c index 1346c95..1b9372c 100644 --- a/telnetd/state.c +++ b/telnetd/state.c @@ -1606,7 +1606,7 @@ send_status() ADD(IAC); ADD(SE); - writenet(statusbuf, ncp - statusbuf); + output_datalen(statusbuf, ncp - statusbuf); netflush(); /* Send it on its way */ DIAG(TD_OPTIONS, @@ -1631,7 +1631,7 @@ output_data(const char *format, ...) remaining = BUFSIZ - (nfrontp - netobuf); } ret = vsnprintf(nfrontp, remaining, format, args); - nfrontp += ((ret < remaining - 1) ? ret : remaining - 1); + nfrontp += (ret < remaining) ? ret : remaining; va_end(args); return ret; } @@ -1645,9 +1645,9 @@ output_datalen(const char *buf, size_t len) if (remaining < len) { netflush(); remaining = BUFSIZ - (nfrontp - netobuf); + if (remaining < len) + return -1; } - if (remaining < len) - return -1; memmove(nfrontp, buf, len); nfrontp += len; return (len); diff --git a/telnetd/utility.c b/telnetd/utility.c index aa85d7a..d59657f 100644 --- a/telnetd/utility.c +++ b/telnetd/utility.c @@ -317,33 +317,6 @@ netflush() } /* end of netflush */ -/* - * writenet - * - * Just a handy little function to write a bit of raw data to the net. - * It will force a transmit of the buffer if necessary - * - * arguments - * ptr - A pointer to a character string to write - * len - How many bytes to write - */ - void -writenet(ptr, len) - register unsigned char *ptr; - register int len; -{ - /* flush buffer if no room for new data) */ - if ((&netobuf[BUFSIZ] - nfrontp) < len) { - /* if this fails, don't worry, buffer is a little big */ - netflush(); - } - - memmove(nfrontp, ptr, len); - nfrontp += len; - -} /* end of writenet */ - - /* * miscellaneous functions doing a variety of little jobs follow ... */