* telnetd.c (getterminaltype): Null-terminate strings and avoid a

      buffer overrun.

      * ext.h: make terminaltype a char[] instead of a char * for
      telnetd.c change

      * state.c (suboption): redo handling of terminaltype

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@10380 dc483132-0cff-0310-8789-dd5450dbe970

5 files changed, 29 insertions, 16 deletions

diff --git a/src/appl/telnet/telnetd/ChangeLog b/src/appl/telnet/telnetd/ChangeLog
index a10361029..633002839 100644
--- a/src/appl/telnet/telnetd/ChangeLog
+++ b/src/appl/telnet/telnetd/ChangeLog
@@ -1,3 +1,13 @@
+Tue Jan 27 18:27:16 1998  Dan Winship  <danw@mit.edu>
+
+	* telnetd.c (getterminaltype): Null-terminate strings and avoid a
+	buffer overrun.
+
+	* ext.h: make terminaltype a char[] instead of a char * for
+	telnetd.c change
+
+	* state.c (suboption): redo handling of terminaltype
+
 Fri Jan 23 22:13:02 1998  Theodore Ts'o  <tytso@rsts-11.mit.edu>
 
 	* telnetd.c (telnet, get_default_IM): Instead of using a hardcoded
@@ -14,7 +24,7 @@ Thu Oct 23 13:59:32 1997  Theodore Y. Ts'o  <tytso@mit.edu>
 
 	* state.c (envvarok): Prohibit the passing of TERMCAP, TERMPATH,
 		TERMINFO, and HOME, since they can be used to exploit a
-		security in tgetent.
+		security hole in tgetent.
 
 Wed Apr  9 23:46:40 1997  Tom Yu  <tlyu@mit.edu>
 
diff --git a/src/appl/telnet/telnetd/ext.h b/src/appl/telnet/telnetd/ext.h
index f6e4aacc4..2ff53e3e3 100644
--- a/src/appl/telnet/telnetd/ext.h
+++ b/src/appl/telnet/telnetd/ext.h
@@ -66,7 +66,7 @@ extern int	auth_level;
 extern int auth_negotiated; /* Have we finished all authentication negotiation we plan to finish?*/
 extern slcfun	slctab[NSLC + 1];	/* slc mapping table */
 
-extern char	*terminaltype;
+extern char	terminaltype[41];
 
 /*
  * I/O data buffers, pointers, and counters.
diff --git a/src/appl/telnet/telnetd/state.c b/src/appl/telnet/telnetd/state.c
index 9d5224acc..afca74c97 100644
--- a/src/appl/telnet/telnetd/state.c
+++ b/src/appl/telnet/telnetd/state.c
@@ -1140,7 +1140,7 @@ suboption()
     }  /* end of case TELOPT_TSPEED */
 
     case TELOPT_TTYPE: {		/* Yaaaay! */
-	static char terminalname[41];
+	char *tt;
 
 	if (his_state_is_wont(TELOPT_TTYPE))	/* Ignore if option disabled */
 		break;
@@ -1151,20 +1151,18 @@ suboption()
 	    return;		/* ??? XXX but, this is the most robust */
 	}
 
-	terminaltype = terminalname;
+	tt = terminaltype;
 
-	while ((terminaltype < (terminalname + sizeof terminalname-1)) &&
-								    !SB_EOF()) {
+	while ((tt < (terminaltype + sizeof(terminaltype) - 1)) && !SB_EOF()) {
 	    register int c;
 
 	    c = SB_GET();
 	    if (isupper(c)) {
 		c = tolower(c);
 	    }
-	    *terminaltype++ = c;    /* accumulate name */
+	    *tt++ = c;    /* accumulate name */
 	}
-	*terminaltype = 0;
-	terminaltype = terminalname;
+	*tt = 0;
 	break;
     }  /* end of case TELOPT_TTYPE */
 
diff --git a/src/appl/telnet/telnetd/sys_term.c b/src/appl/telnet/telnetd/sys_term.c
index 0e5def6b0..93a661c1c 100644
--- a/src/appl/telnet/telnetd/sys_term.c
+++ b/src/appl/telnet/telnetd/sys_term.c
@@ -1122,7 +1122,7 @@ startslave(host, autologin, autoname)
 	SCPYN(request.gen_id, gen_id);
 	SCPYN(request.tty_id, &line[8]);
 	SCPYN(request.host, host);
-	SCPYN(request.term_type, terminaltype ? terminaltype : "network");
+	SCPYN(request.term_type, *terminaltype ? terminaltype : "network");
 #if	!defined(UNICOS5)
 	request.signal = SIGCLD;
 	request.pid = getpid();
diff --git a/src/appl/telnet/telnetd/telnetd.c b/src/appl/telnet/telnetd/telnetd.c
index 88a523873..dceaab7b3 100644
--- a/src/appl/telnet/telnetd/telnetd.c
+++ b/src/appl/telnet/telnetd/telnetd.c
@@ -801,12 +801,14 @@ getterminaltype(name)
 	 * we have to just go with what we (might) have already gotten.
 	 */
 	if (his_state_is_will(TELOPT_TTYPE) && !terminaltypeok(terminaltype)) {
-	    (void) strncpy(first, terminaltype, sizeof(first));
+	    (void) strncpy(first, terminaltype, sizeof(first) - 1);
+	    first[sizeof(first) - 1] = '\0';
 	    for(;;) {
 		/*
 		 * Save the unknown name, and request the next name.
 		 */
-		(void) strncpy(last, terminaltype, sizeof(last));
+		(void) strncpy(last, terminaltype, sizeof(last) - 1);
+		last[sizeof(last) - 1] = '\0';
 		_gettermname();
 		if (terminaltypeok(terminaltype))
 		    break;
@@ -823,9 +825,12 @@ getterminaltype(name)
 		     * RFC1091 compliant telnets will cycle back to
 		     * the start of the list.
 		     */
-		     _gettermname();
-		    if (strncmp(first, terminaltype, sizeof(first)) != 0)
-			(void) strncpy(terminaltype, first, sizeof(first));
+		    _gettermname();
+		    if (strncmp(first, terminaltype, sizeof(first)) != 0) {
+			(void) strncpy(terminaltype, first,
+				       sizeof(terminaltype) - 1);
+			terminaltype[sizeof(terminaltype) - 1] = '\0';
+		    }
 		    break;
 		}
 	    }
@@ -857,7 +862,7 @@ terminaltypeok(s)
 {
     char buf[1024];
 
-    if (terminaltype == NULL)
+    if (!*s)
 	return(1);
 
     /*