diff options
| author | Sam Hartman <hartmans@mit.edu> | 2002-03-16 18:08:08 +0000 |
|---|---|---|
| committer | Sam Hartman <hartmans@mit.edu> | 2002-03-16 18:08:08 +0000 |
| commit | 397739f8c019754acccd3f59cff4549fa34b2a12 (patch) | |
| tree | f864e61d6eda99cb4aa4a7521913fbbb2f65324e | |
| parent | c8952afc6f0832ab773804342b962a8f1bc7bd47 (diff) | |
| download | krb5-397739f8c019754acccd3f59cff4549fa34b2a12.tar.gz krb5-397739f8c019754acccd3f59cff4549fa34b2a12.tar.xz krb5-397739f8c019754acccd3f59cff4549fa34b2a12.zip | |
Fix client side buffer overflows
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14285 dc483132-0cff-0310-8789-dd5450dbe970
| -rw-r--r-- | src/appl/telnet/libtelnet/ChangeLog | 5 | ||||
| -rw-r--r-- | src/appl/telnet/libtelnet/kerberos.c | 14 | ||||
| -rw-r--r-- | src/appl/telnet/libtelnet/kerberos5.c | 15 |
3 files changed, 28 insertions, 6 deletions
diff --git a/src/appl/telnet/libtelnet/ChangeLog b/src/appl/telnet/libtelnet/ChangeLog index 7b79c5ac2..fa3a269ad 100644 --- a/src/appl/telnet/libtelnet/ChangeLog +++ b/src/appl/telnet/libtelnet/ChangeLog @@ -1,3 +1,8 @@ +2002-03-14 Sam Hartman <hartmans@mit.edu> + + * kerberos5.c kerberos.c (Data): Don't overflow + buffer. [telnet/1073] + 2002-03-13 Ezra Peisach <epeisach@mit.edu> * configure.in: Do not explicitly add getent.o and setenv.o to diff --git a/src/appl/telnet/libtelnet/kerberos.c b/src/appl/telnet/libtelnet/kerberos.c index c89f6dadc..06233ebcd 100644 --- a/src/appl/telnet/libtelnet/kerberos.c +++ b/src/appl/telnet/libtelnet/kerberos.c @@ -144,7 +144,7 @@ Data(ap, type, d, c) { unsigned char *p = str_data + 4; const unsigned char *cd = (const unsigned char *)d; - + size_t spaceleft = sizeof(str_data)-4; if (c == -1) c = strlen((const char *)cd); @@ -159,9 +159,17 @@ Data(ap, type, d, c) *p++ = ap->type; *p++ = ap->way; *p++ = type; + spaceleft -= 3; while (c-- > 0) { - if ((*p++ = *cd++) == IAC) - *p++ = IAC; +if ((*p++ = *cd++) == IAC) { +*p++ = IAC; +spaceleft--; +} +if (--spaceleft <= 4) { +errno = ENOMEM; +return -1; +} + } *p++ = IAC; *p++ = SE; diff --git a/src/appl/telnet/libtelnet/kerberos5.c b/src/appl/telnet/libtelnet/kerberos5.c index d57a735b0..8041d1f0c 100644 --- a/src/appl/telnet/libtelnet/kerberos5.c +++ b/src/appl/telnet/libtelnet/kerberos5.c @@ -97,7 +97,7 @@ static void kerberos5_forward(Authenticator *); #endif /* FORWARD */ -static unsigned char str_data[2048] = { IAC, SB, TELOPT_AUTHENTICATION, 0, +static unsigned char str_data[8192] = {IAC, SB, TELOPT_AUTHENTICATION, 0, AUTHTYPE_KERBEROS_V5, }; /*static unsigned char str_name[1024] = { IAC, SB, TELOPT_AUTHENTICATION, TELQUAL_NAME, };*/ @@ -138,6 +138,7 @@ Data(ap, type, d, c) { unsigned char *p = str_data + 4; unsigned char *cd = (unsigned char *)d; + size_t spaceleft = sizeof(str_data)-4; if (c == -1) c = strlen((char *)cd); @@ -153,9 +154,17 @@ Data(ap, type, d, c) *p++ = ap->type; *p++ = ap->way; *p++ = type; + spaceleft -= 3; while (c-- > 0) { - if ((*p++ = *cd++) == IAC) - *p++ = IAC; +if ((*p++ = *cd++) == IAC) { +*p++ = IAC; +spaceleft--; +} +if (--spaceleft <= 4) { +errno = ENOMEM; +return -1; +} + } *p++ = IAC; *p++ = SE; |