rocklinux/package/base/netkit-telnet/slc_add_reply.patch

# --- ROCK-COPYRIGHT-NOTE-BEGIN ---
# 
# This copyright note is auto-generated by ./scripts/Create-CopyPatch.
# Please add additional copyright information _after_ the line containing
# the ROCK-COPYRIGHT-NOTE-END tag. Otherwise it might get removed by
# the ./scripts/Create-CopyPatch script. Do not edit this copyright text!
# 
# ROCK Linux: rock-src/package/base/netkit-telnet/slc_add_reply.patch
# ROCK Linux is Copyright (C) 1998 - 2006 Clifford Wolf
# 
# This patch file is dual-licensed. It is available under the license the
# patched project is licensed under, as long as it is an OpenSource license
# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
# of the GNU General Public License as published by the Free Software
# Foundation; either version 2 of the License, or (at your option) any later
# version.
# 
# --- ROCK-COPYRIGHT-NOTE-END ---

diff -Naur netkit-telnet-0.17.orig/telnet/telnet.cc netkit-telnet-0.17/telnet/telnet.cc
--- netkit-telnet-0.17.orig/telnet/telnet.cc	2000-07-23 04:24:53.000000000 +0100
+++ netkit-telnet-0.17/telnet/telnet.cc	2005-10-11 11:58:02.000000000 +0100
@@ -1050,6 +1050,7 @@
 
 
 unsigned char slc_reply[128];
+unsigned char const * const slc_reply_eom = &slc_reply[sizeof(slc_reply)];
 unsigned char *slc_replyp;
 
 void slc_start_reply(void) {
@@ -1061,6 +1062,18 @@
 }
 
 void slc_add_reply(int func, int flags, int value) {
+  /* Fix security vulnerability
+   * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469
+   *
+   * A sequence of up to 6 bytes my be written for this member of the
+   * SLC suboption list by this function.  The end of negotiation
+   * command, which is written by slc_end_reply(), will require 2
+   * additional bytes.  Do not proceed unless there is sufficient
+   * space for these items.
+   */
+  if (&slc_replyp[6+2] > slc_reply_eom)
+    return;
+
   if ((*slc_replyp++ = func) == IAC)
     *slc_replyp++ = IAC;
   if ((*slc_replyp++ = flags) == IAC)