|
|
|
@ -0,0 +1,30 @@ |
|
|
|
diff -Naur netkit-telnet-0.17.orig/telnet/telnet.cc netkit-telnet-0.17/telnet/telnet.cc
|
|
|
|
--- netkit-telnet-0.17.orig/telnet/telnet.cc 2000-07-23 04:24:53.000000000 +0100
|
|
|
|
+++ netkit-telnet-0.17/telnet/telnet.cc 2005-10-11 11:58:02.000000000 +0100
|
|
|
|
@@ -1050,6 +1050,7 @@
|
|
|
|
|
|
|
|
|
|
|
|
unsigned char slc_reply[128]; |
|
|
|
+unsigned char const * const slc_reply_eom = &slc_reply[sizeof(slc_reply)];
|
|
|
|
unsigned char *slc_replyp; |
|
|
|
|
|
|
|
void slc_start_reply(void) { |
|
|
|
@@ -1061,6 +1062,18 @@
|
|
|
|
} |
|
|
|
|
|
|
|
void slc_add_reply(int func, int flags, int value) { |
|
|
|
+ /* Fix security vulnerability
|
|
|
|
+ * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469
|
|
|
|
+ *
|
|
|
|
+ * A sequence of up to 6 bytes my be written for this member of the
|
|
|
|
+ * SLC suboption list by this function. The end of negotiation
|
|
|
|
+ * command, which is written by slc_end_reply(), will require 2
|
|
|
|
+ * additional bytes. Do not proceed unless there is sufficient
|
|
|
|
+ * space for these items.
|
|
|
|
+ */
|
|
|
|
+ if (&slc_replyp[6+2] > slc_reply_eom)
|
|
|
|
+ return;
|
|
|
|
+
|
|
|
|
if ((*slc_replyp++ = func) == IAC) |
|
|
|
*slc_replyp++ = IAC; |
|
|
|
if ((*slc_replyp++ = flags) == IAC) |
Alan J. Wylie
19 years ago