3 files changed, 28 insertions, 6 deletions

diff --git a/src/appl/telnet/libtelnet/ChangeLog b/src/appl/telnet/libtelnet/ChangeLog
index 7b79c5ac2..fa3a269ad 100644
--- a/src/appl/telnet/libtelnet/ChangeLog
+++ b/src/appl/telnet/libtelnet/ChangeLog
@@ -1,3 +1,8 @@
+2002-03-14  Sam Hartman  <hartmans@mit.edu>
+
+	* kerberos5.c kerberos.c  (Data): Don't overflow
+	buffer. [telnet/1073] 
+
 2002-03-13  Ezra Peisach  <epeisach@mit.edu>
 
 	* configure.in: Do not explicitly add getent.o and setenv.o to
diff --git a/src/appl/telnet/libtelnet/kerberos.c b/src/appl/telnet/libtelnet/kerberos.c
index c89f6dadc..06233ebcd 100644
--- a/src/appl/telnet/libtelnet/kerberos.c
+++ b/src/appl/telnet/libtelnet/kerberos.c
@@ -144,7 +144,7 @@ Data(ap, type, d, c)
 {
         unsigned char *p = str_data + 4;
 	const unsigned char *cd = (const unsigned char *)d;
-
+	size_t spaceleft = sizeof(str_data)-4;
 	if (c == -1)
 		c = strlen((const char *)cd);
 
@@ -159,9 +159,17 @@ Data(ap, type, d, c)
 	*p++ = ap->type;
 	*p++ = ap->way;
 	*p++ = type;
+	spaceleft -= 3;
         while (c-- > 0) {
-                if ((*p++ = *cd++) == IAC)
-                        *p++ = IAC;
+if ((*p++ = *cd++) == IAC) {
+*p++ = IAC;
+spaceleft--;
+}
+if (--spaceleft <= 4) {
+errno = ENOMEM;
+return -1;
+}
+
         }
         *p++ = IAC;
         *p++ = SE;
diff --git a/src/appl/telnet/libtelnet/kerberos5.c b/src/appl/telnet/libtelnet/kerberos5.c
index d57a735b0..8041d1f0c 100644
--- a/src/appl/telnet/libtelnet/kerberos5.c
+++ b/src/appl/telnet/libtelnet/kerberos5.c
@@ -97,7 +97,7 @@ static void kerberos5_forward(Authenticator *);
 
 #endif	/* FORWARD */
 
-static unsigned char str_data[2048] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
+static unsigned char str_data[8192] = {IAC, SB, TELOPT_AUTHENTICATION, 0,
 			  		AUTHTYPE_KERBEROS_V5, };
 /*static unsigned char str_name[1024] = { IAC, SB, TELOPT_AUTHENTICATION,
 					TELQUAL_NAME, };*/
@@ -138,6 +138,7 @@ Data(ap, type, d, c)
 {
         unsigned char *p = str_data + 4;
 	unsigned char *cd = (unsigned char *)d;
+	size_t spaceleft = sizeof(str_data)-4;
 
 	if (c == -1)
 		c = strlen((char *)cd);
@@ -153,9 +154,17 @@ Data(ap, type, d, c)
 	*p++ = ap->type;
 	*p++ = ap->way;
 	*p++ = type;
+	spaceleft -= 3;
         while (c-- > 0) {
-                if ((*p++ = *cd++) == IAC)
-                        *p++ = IAC;
+if ((*p++ = *cd++) == IAC) {
+*p++ = IAC;
+spaceleft--;
+}
+if (--spaceleft <= 4) {
+errno = ENOMEM;
+return -1;
+}
+
         }
         *p++ = IAC;
         *p++ = SE;