Fix client side buffer overflows

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14285 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/appl/telnet/libtelnet/ChangeLog b/src/appl/telnet/libtelnet/ChangeLog
index 7b79c5ac294c284fbd69ee7a1c51f9c58b1c181e..fa3a269ada042addf1e6264ff56f6c72148f3ff3 100644 (file)
--- a/src/appl/telnet/libtelnet/ChangeLog
+++ b/src/appl/telnet/libtelnet/ChangeLog
@@ -1,3 +1,8 @@
+2002-03-14  Sam Hartman  <hartmans@mit.edu>
+
+       * kerberos5.c kerberos.c  (Data): Don't overflow
+       buffer. [telnet/1073] 
+
 2002-03-13  Ezra Peisach  <epeisach@mit.edu>
 
        * configure.in: Do not explicitly add getent.o and setenv.o to

diff --git a/src/appl/telnet/libtelnet/kerberos.c b/src/appl/telnet/libtelnet/kerberos.c
index c89f6dadc565666111c85555b694d52a5cc2fa00..06233ebcd0b014dd9ccd1987ab4d95bb6c894c70 100644 (file)
--- a/src/appl/telnet/libtelnet/kerberos.c
+++ b/src/appl/telnet/libtelnet/kerberos.c
@@ -144,7 +144,7 @@ Data(ap, type, d, c)
 {
         unsigned char *p = str_data + 4;
        const unsigned char *cd = (const unsigned char *)d;
-
+       size_t spaceleft = sizeof(str_data)-4;
        if (c == -1)
                c = strlen((const char *)cd);
 
@@ -159,9 +159,17 @@ Data(ap, type, d, c)
        *p++ = ap->type;
        *p++ = ap->way;
        *p++ = type;
+       spaceleft -= 3;
         while (c-- > 0) {
-                if ((*p++ = *cd++) == IAC)
-                        *p++ = IAC;
+if ((*p++ = *cd++) == IAC) {
+*p++ = IAC;
+spaceleft--;
+}
+if (--spaceleft <= 4) {
+errno = ENOMEM;
+return -1;
+}
+
         }
         *p++ = IAC;
         *p++ = SE;

diff --git a/src/appl/telnet/libtelnet/kerberos5.c b/src/appl/telnet/libtelnet/kerberos5.c
index d57a735b0bfb38c2f7be1f5ec8a3e5299bd23702..8041d1f0c6c146470ed2ac656d37c46c649db239 100644 (file)
--- a/src/appl/telnet/libtelnet/kerberos5.c
+++ b/src/appl/telnet/libtelnet/kerberos5.c
@@ -97,7 +97,7 @@ static void kerberos5_forward(Authenticator *);
 
 #endif /* FORWARD */
 
-static unsigned char str_data[2048] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
+static unsigned char str_data[8192] = {IAC, SB, TELOPT_AUTHENTICATION, 0,
                                        AUTHTYPE_KERBEROS_V5, };
 /*static unsigned char str_name[1024] = { IAC, SB, TELOPT_AUTHENTICATION,
                                        TELQUAL_NAME, };*/
@@ -138,6 +138,7 @@ Data(ap, type, d, c)
 {
         unsigned char *p = str_data + 4;
        unsigned char *cd = (unsigned char *)d;
+       size_t spaceleft = sizeof(str_data)-4;
 
        if (c == -1)
                c = strlen((char *)cd);
@@ -153,9 +154,17 @@ Data(ap, type, d, c)
        *p++ = ap->type;
        *p++ = ap->way;
        *p++ = type;
+       spaceleft -= 3;
         while (c-- > 0) {
-                if ((*p++ = *cd++) == IAC)
-                        *p++ = IAC;
+if ((*p++ = *cd++) == IAC) {
+*p++ = IAC;
+spaceleft--;
+}
+if (--spaceleft <= 4) {
+errno = ENOMEM;
+return -1;
+}
+
         }
         *p++ = IAC;
         *p++ = SE;