Sync with usr.bin/telnet/telnet.c r1.9 - fix buffer overflow in DISPLAY

git-svn-id: http://svn0.us-east.freebsd.org/base/head/contrib/telnet@67827 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
2000-10-29 00:10:14 +00:00 · 2000-10-29 00:10:14 +00:00 · 2ffcc09501
parent a2af2980e2
commit 2ffcc09501
1 changed files with 7 additions and 4 deletions
--- a/telnet/telnet.c
+++ b/telnet/telnet.c
@ -29,6 +29,8 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
+ *
+ * $FreeBSD$
 */

 #ifndef lint
@ -970,16 +972,17 @@ suboption()
 	    unsigned char temp[50], *dp;
 	    int len;

-	    if ((dp = env_getvalue((unsigned char *)"DISPLAY")) == NULL) {
+	    if ((dp = env_getvalue((unsigned char *)"DISPLAY")) == NULL ||
+		strlen(dp) > sizeof(temp) - 7) {
 		/*
 		 * Something happened, we no longer have a DISPLAY
-		 * variable.  So, turn off the option.
+		 * variable.  Or it is too long.  So, turn off the option.
 		 */
 		send_wont(TELOPT_XDISPLOC, 1);
 		break;
 	    }
-	    sprintf((char *)temp, "%c%c%c%c%s%c%c", IAC, SB, TELOPT_XDISPLOC,
-		    TELQUAL_IS, dp, IAC, SE);
+	    snprintf((char *)temp, sizeof(temp), "%c%c%c%c%s%c%c", IAC, SB,
+		    TELOPT_XDISPLOC, TELQUAL_IS, dp, IAC, SE);
 	    len = strlen((char *)temp+4) + 4;	/* temp[3] is 0 ... */

 	    if (len < NETROOM()) {