Re: [PATCH] telnet: Fix write buffer overflow (off-by-one check)

bug-inetutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] telnet: Fix write buffer overflow (off-by-one check)

From:	Tim Rühsen
Subject:	Re: [PATCH] telnet: Fix write buffer overflow (off-by-one check)
Date:	Sun, 16 Feb 2020 19:24:38 +0100
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.2

Sorry, description is wrong. Should have been 'silently truncated'. I'll
amend the message and send it again.

On 16.02.20 19:21, Tim Rühsen wrote:
> If the DISPLAY variable had exactly 44 bytes, a temporary
> string in function 'suboption' was not 0-terminated.
> ---
>  telnet/telnet.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/telnet/telnet.c b/telnet/telnet.c
> index 297ae0e4..9f8c871f 100644
> --- a/telnet/telnet.c
> +++ b/telnet/telnet.c
> @@ -1010,7 +1010,7 @@ suboption (void)
>          * protocol must remain unsevered.  Check that DP fits in
>          * full within TEMP.  Otherwise report buffer error.
>          */
> -       if (strlen (dp) > sizeof (temp) - 4 - 2)
> +       if (strlen (dp) >= sizeof (temp) - 4 - 2)
>           {
>             printf ("lm_will: not enough room in buffer\n");
>             break;
> --
> 2.25.0
>

signature.asc
Description: OpenPGP digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH] telnet: Fix write buffer overflow (off-by-one check), Tim Rühsen, 2020/02/16
- Re: [PATCH] telnet: Fix write buffer overflow (off-by-one check), Tim Rühsen <=

Prev by Date: [PATCH] libls: Remove unused variable kflag
Next by Date: [PATCH] ftpd: Fix multiple definition of 'errcatch' (gcc 10)
Previous by thread: [PATCH] telnet: Fix write buffer overflow (off-by-one check)
Next by thread: [PATCH] rcp: Remove unused variable
Index(es):
- Date
- Thread