security/mit-krb5/patches/patch-al


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96

$NetBSD: patch-al,v 1.1.2.2 2005/05/13 10:08:52 salo Exp $

Patch from http://web.mit.edu/kerberos/advisories/2005-001-patch_1.4.txt
which fixes MITKRB5-SA-2005-001 (CAN-2005-0468 & CAN-2005-0469) relating
to buffer overflows in the telnet client.

*** appl/telnet/telnet/telnet.c	15 Nov 2002 20:21:35 -0000	5.18
--- appl/telnet/telnet/telnet.c	15 Mar 2005 18:59:32 -0000
***************
*** 1475,1480 ****
--- 1475,1482 ----
  	unsigned char flags;
  	cc_t value;
  {
+ 	if ((slc_replyp - slc_reply) + 6 > sizeof(slc_reply))
+ 		return;
  	if ((*slc_replyp++ = func) == IAC)
  		*slc_replyp++ = IAC;
  	if ((*slc_replyp++ = flags) == IAC)
***************
*** 1488,1498 ****
  {
      register int len;
  
-     *slc_replyp++ = IAC;
-     *slc_replyp++ = SE;
      len = slc_replyp - slc_reply;
!     if (len <= 6)
  	return;
      if (NETROOM() > len) {
  	ring_supply_data(&netoring, slc_reply, slc_replyp - slc_reply);
  	printsub('>', &slc_reply[2], slc_replyp - slc_reply - 2);
--- 1490,1501 ----
  {
      register int len;
  
      len = slc_replyp - slc_reply;
!     if (len <= 4 || (len + 2 > sizeof(slc_reply)))
  	return;
+     *slc_replyp++ = IAC;
+     *slc_replyp++ = SE;
+     len += 2;
      if (NETROOM() > len) {
  	ring_supply_data(&netoring, slc_reply, slc_replyp - slc_reply);
  	printsub('>', &slc_reply[2], slc_replyp - slc_reply - 2);
***************
*** 1645,1650 ****
--- 1648,1654 ----
  	register unsigned char *ep;
  {
  	register unsigned char *vp, c;
+ 	unsigned int len, olen, elen;
  
  	if (opt_reply == NULL)		/*XXX*/
  		return;			/*XXX*/
***************
*** 1662,1680 ****
  		return;
  	}
  	vp = env_getvalue(ep);
! 	if (opt_replyp + (vp ? strlen((char *)vp) : 0) +
! 				strlen((char *)ep) + 6 > opt_replyend)
  	{
! 		register unsigned int len;
! 		opt_replyend += OPT_REPLY_SIZE;
! 		len = opt_replyend - opt_reply;
  		opt_reply = (unsigned char *)realloc(opt_reply, len);
  		if (opt_reply == NULL) {
  /*@*/			printf("env_opt_add: realloc() failed!!!\n");
  			opt_reply = opt_replyp = opt_replyend = NULL;
  			return;
  		}
! 		opt_replyp = opt_reply + len - (opt_replyend - opt_replyp);
  		opt_replyend = opt_reply + len;
  	}
  	if (opt_welldefined((char *) ep))
--- 1666,1684 ----
  		return;
  	}
  	vp = env_getvalue(ep);
! 	elen = 2 * (vp ? strlen((char *)vp) : 0) +
! 		2 * strlen((char *)ep) + 6;
! 	if ((opt_replyend - opt_replyp) < elen)
  	{
! 		len = opt_replyend - opt_reply + elen;
! 		olen = opt_replyp - opt_reply;
  		opt_reply = (unsigned char *)realloc(opt_reply, len);
  		if (opt_reply == NULL) {
  /*@*/			printf("env_opt_add: realloc() failed!!!\n");
  			opt_reply = opt_replyp = opt_replyend = NULL;
  			return;
  		}
! 		opt_replyp = opt_reply + olen;
  		opt_replyend = opt_reply + len;
  	}
  	if (opt_welldefined((char *) ep))