[Midnightbsd-cvs] src [12212] stable/1.1: Fix some security issues in telnet client.
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Wed Jul 24 18:49:33 EDT 2019
Revision: 12212
http://svnweb.midnightbsd.org/src/?rev=12212
Author: laffer1
Date: 2019-07-24 18:49:32 -0400 (Wed, 24 Jul 2019)
Log Message:
-----------
Fix some security issues in telnet client.
Modified Paths:
--------------
stable/1.1/UPDATING
stable/1.1/contrib/telnet/telnet/commands.c
stable/1.1/contrib/telnet/telnet/telnet.c
stable/1.1/contrib/telnet/telnet/utilities.c
Modified: stable/1.1/UPDATING
===================================================================
--- stable/1.1/UPDATING 2019-06-29 01:39:44 UTC (rev 12211)
+++ stable/1.1/UPDATING 2019-07-24 22:49:32 UTC (rev 12212)
@@ -1,5 +1,8 @@
Updating Information for MidnightBSD users.
+20190724:
+ Fix some buffer overflows in telnet client.
+
20190223:
Update mport package tool with version from CURRENT. Supports
origin lookups with /usr/libexec/mport.query now, required for latest
Modified: stable/1.1/contrib/telnet/telnet/commands.c
===================================================================
--- stable/1.1/contrib/telnet/telnet/commands.c 2019-06-29 01:39:44 UTC (rev 12211)
+++ stable/1.1/contrib/telnet/telnet/commands.c 2019-07-24 22:49:32 UTC (rev 12212)
@@ -45,6 +45,7 @@
#include <sys/socket.h>
#include <netinet/in.h>
+#include <assert.h>
#include <ctype.h>
#include <err.h>
#include <errno.h>
@@ -1654,11 +1655,14 @@
|| (strncmp((char *)ep->value, "unix:", 5) == 0))) {
char hbuf[256+1];
char *cp2 = strchr((char *)ep->value, ':');
+ size_t buflen;
- gethostname(hbuf, 256);
- hbuf[256] = '\0';
- cp = (char *)malloc(strlen(hbuf) + strlen(cp2) + 1);
- sprintf((char *)cp, "%s%s", hbuf, cp2);
+ gethostname(hbuf, sizeof(hbuf));
+ hbuf[sizeof(hbuf)-1] = '\0';
+ buflen = strlen(hbuf) + strlen(cp2) + 1;
+ cp = (char *)malloc(sizeof(char)*buflen);
+ assert(cp != NULL);
+ snprintf((char *)cp, buflen, "%s%s", hbuf, cp2);
free(ep->value);
ep->value = (unsigned char *)cp;
}
Modified: stable/1.1/contrib/telnet/telnet/telnet.c
===================================================================
--- stable/1.1/contrib/telnet/telnet/telnet.c 2019-06-29 01:39:44 UTC (rev 12211)
+++ stable/1.1/contrib/telnet/telnet/telnet.c 2019-07-24 22:49:32 UTC (rev 12212)
@@ -785,7 +785,7 @@
name = gettermname();
len = strlen(name) + 4 + 2;
if (len < NETROOM()) {
- sprintf(temp, "%c%c%c%c%s%c%c", IAC, SB, TELOPT_TTYPE,
+ snprintf(temp, sizeof(temp), "%c%c%c%c%s%c%c", IAC, SB, TELOPT_TTYPE,
TELQUAL_IS, name, IAC, SE);
ring_supply_data(&netoring, temp, len);
printsub('>', &temp[2], len-2);
@@ -807,7 +807,7 @@
TerminalSpeeds(&ispeed, &ospeed);
- sprintf((char *)temp, "%c%c%c%c%ld,%ld%c%c", IAC, SB, TELOPT_TSPEED,
+ snprintf((char *)temp, sizeof(temp), "%c%c%c%c%ld,%ld%c%c", IAC, SB, TELOPT_TSPEED,
TELQUAL_IS, ospeed, ispeed, IAC, SE);
len = strlen((char *)temp+4) + 4; /* temp[3] is 0 ... */
Modified: stable/1.1/contrib/telnet/telnet/utilities.c
===================================================================
--- stable/1.1/contrib/telnet/telnet/utilities.c 2019-06-29 01:39:44 UTC (rev 12211)
+++ stable/1.1/contrib/telnet/telnet/utilities.c 2019-07-24 22:49:32 UTC (rev 12212)
@@ -629,7 +629,7 @@
}
{
char tbuf[64];
- sprintf(tbuf, "%s%s%s%s%s",
+ snprintf(tbuf, sizeof(tbuf), "%s%s%s%s%s",
pointer[2]&MODE_EDIT ? "|EDIT" : "",
pointer[2]&MODE_TRAPSIG ? "|TRAPSIG" : "",
pointer[2]&MODE_SOFT_TAB ? "|SOFT_TAB" : "",
More information about the Midnightbsd-cvs
mailing list