aboutsummaryrefslogtreecommitdiffstats
path: root/crypto/telnet/telnet/telnet.c
diff options
context:
space:
mode:
authorKris Kennaway <kris@FreeBSD.org>2000-10-29 00:10:55 +0000
committerKris Kennaway <kris@FreeBSD.org>2000-10-29 00:10:55 +0000
commit33e4af10d611db770a7f86d386e26c6f092a8802 (patch)
treed45a6394780055f4910a08d73b331c61a74f4f0a /crypto/telnet/telnet/telnet.c
parent0e0836c1a27723eb27640617ce9c181051e47fb4 (diff)
downloadsrc-33e4af10d611db770a7f86d386e26c6f092a8802.tar.gz
src-33e4af10d611db770a7f86d386e26c6f092a8802.zip
MFC: Fix client-side buffer overflow in DISPLAY
Notes
Notes: svn path=/stable/4/; revision=67828
Diffstat (limited to 'crypto/telnet/telnet/telnet.c')
-rw-r--r--crypto/telnet/telnet/telnet.c11
1 files changed, 7 insertions, 4 deletions
diff --git a/crypto/telnet/telnet/telnet.c b/crypto/telnet/telnet/telnet.c
index 63fb9d7b4340..36d1d21ebdb4 100644
--- a/crypto/telnet/telnet/telnet.c
+++ b/crypto/telnet/telnet/telnet.c
@@ -29,6 +29,8 @@
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
+ *
+ * $FreeBSD$
*/
#ifndef lint
@@ -970,16 +972,17 @@ suboption()
unsigned char temp[50], *dp;
int len;
- if ((dp = env_getvalue((unsigned char *)"DISPLAY")) == NULL) {
+ if ((dp = env_getvalue((unsigned char *)"DISPLAY")) == NULL ||
+ strlen(dp) > sizeof(temp) - 7) {
/*
* Something happened, we no longer have a DISPLAY
- * variable. So, turn off the option.
+ * variable. Or it is too long. So, turn off the option.
*/
send_wont(TELOPT_XDISPLOC, 1);
break;
}
- sprintf((char *)temp, "%c%c%c%c%s%c%c", IAC, SB, TELOPT_XDISPLOC,
- TELQUAL_IS, dp, IAC, SE);
+ snprintf((char *)temp, sizeof(temp), "%c%c%c%c%s%c%c", IAC, SB,
+ TELOPT_XDISPLOC, TELQUAL_IS, dp, IAC, SE);
len = strlen((char *)temp+4) + 4; /* temp[3] is 0 ... */
if (len < NETROOM()) {