diff options
| author | Tom Yu <tlyu@mit.edu> | 2005-03-29 21:21:14 +0000 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2005-03-29 21:21:14 +0000 |
| commit | 08c52c1b3c2dfdd825dfa671cebff141697fc0d7 (patch) | |
| tree | 45de9a502bcf0ceb21d48dcd1235d82c98323298 | |
| parent | bc4421a1391d0e17b5b9b07e4fb6ac2d13998c46 (diff) | |
| download | krb5-08c52c1b3c2dfdd825dfa671cebff141697fc0d7.tar.gz krb5-08c52c1b3c2dfdd825dfa671cebff141697fc0d7.tar.xz krb5-08c52c1b3c2dfdd825dfa671cebff141697fc0d7.zip | |
fix MITKRB5-SA-2005-001 telnet client vuln
* telnet.c (slc_add_reply, slc_end_reply): Fix buffer overflow
vulnerability by checking lengths.
(env_opt_add): Ensure buffer allocation is sufficiently large,
accounting for expansion during IAC quoting.
ticket: new
tags: pullup
version_reported: 1.4
target_version: 1.4.1
component: telnet
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@17162 dc483132-0cff-0310-8789-dd5450dbe970
| -rw-r--r-- | src/appl/telnet/telnet/ChangeLog | 7 | ||||
| -rw-r--r-- | src/appl/telnet/telnet/telnet.c | 22 |
2 files changed, 20 insertions, 9 deletions
diff --git a/src/appl/telnet/telnet/ChangeLog b/src/appl/telnet/telnet/ChangeLog index 91d52591a..e223a7750 100644 --- a/src/appl/telnet/telnet/ChangeLog +++ b/src/appl/telnet/telnet/ChangeLog @@ -1,3 +1,10 @@ +2005-03-28 Tom Yu <tlyu@mit.edu> + + * telnet.c (slc_add_reply, slc_end_reply): Fix buffer overflow + vulnerability by checking lengths. + (env_opt_add): Ensure buffer allocation is sufficiently large, + accounting for expansion during IAC quoting. + 2004-03-04 Ken Raeburn <raeburn@mit.edu> * configure.in: Deleted; configure this dir from parent now. diff --git a/src/appl/telnet/telnet/telnet.c b/src/appl/telnet/telnet/telnet.c index a92bbd5d1..6215fc1e9 100644 --- a/src/appl/telnet/telnet/telnet.c +++ b/src/appl/telnet/telnet/telnet.c @@ -1475,6 +1475,8 @@ slc_add_reply(func, flags, value) unsigned char flags; cc_t value; { + if ((slc_replyp - slc_reply) + 6 > sizeof(slc_reply)) + return; if ((*slc_replyp++ = func) == IAC) *slc_replyp++ = IAC; if ((*slc_replyp++ = flags) == IAC) @@ -1488,11 +1490,12 @@ slc_end_reply() { register int len; - *slc_replyp++ = IAC; - *slc_replyp++ = SE; len = slc_replyp - slc_reply; - if (len <= 6) + if (len <= 4 || (len + 2 > sizeof(slc_reply))) return; + *slc_replyp++ = IAC; + *slc_replyp++ = SE; + len += 2; if (NETROOM() > len) { ring_supply_data(&netoring, slc_reply, slc_replyp - slc_reply); printsub('>', &slc_reply[2], slc_replyp - slc_reply - 2); @@ -1645,6 +1648,7 @@ env_opt_add(ep) register unsigned char *ep; { register unsigned char *vp, c; + unsigned int len, olen, elen; if (opt_reply == NULL) /*XXX*/ return; /*XXX*/ @@ -1662,19 +1666,19 @@ env_opt_add(ep) return; } vp = env_getvalue(ep); - if (opt_replyp + (vp ? strlen((char *)vp) : 0) + - strlen((char *)ep) + 6 > opt_replyend) + elen = 2 * (vp ? strlen((char *)vp) : 0) + + 2 * strlen((char *)ep) + 6; + if ((opt_replyend - opt_replyp) < elen) { - register unsigned int len; - opt_replyend += OPT_REPLY_SIZE; - len = opt_replyend - opt_reply; + len = opt_replyend - opt_reply + elen; + olen = opt_replyp - opt_reply; opt_reply = (unsigned char *)realloc(opt_reply, len); if (opt_reply == NULL) { /*@*/ printf("env_opt_add: realloc() failed!!!\n"); opt_reply = opt_replyp = opt_replyend = NULL; return; } - opt_replyp = opt_reply + len - (opt_replyend - opt_replyp); + opt_replyp = opt_reply + olen; opt_replyend = opt_reply + len; } if (opt_welldefined((char *) ep)) |