[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] telnet: Fix write buffer overflow (off-by-one check)
From: |
Tim Rühsen |
Subject: |
Re: [PATCH] telnet: Fix write buffer overflow (off-by-one check) |
Date: |
Sun, 16 Feb 2020 19:24:38 +0100 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.2 |
Sorry, description is wrong. Should have been 'silently truncated'. I'll
amend the message and send it again.
On 16.02.20 19:21, Tim Rühsen wrote:
> If the DISPLAY variable had exactly 44 bytes, a temporary
> string in function 'suboption' was not 0-terminated.
> ---
> telnet/telnet.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/telnet/telnet.c b/telnet/telnet.c
> index 297ae0e4..9f8c871f 100644
> --- a/telnet/telnet.c
> +++ b/telnet/telnet.c
> @@ -1010,7 +1010,7 @@ suboption (void)
> * protocol must remain unsevered. Check that DP fits in
> * full within TEMP. Otherwise report buffer error.
> */
> - if (strlen (dp) > sizeof (temp) - 4 - 2)
> + if (strlen (dp) >= sizeof (temp) - 4 - 2)
> {
> printf ("lm_will: not enough room in buffer\n");
> break;
> --
> 2.25.0
>
signature.asc
Description: OpenPGP digital signature