[PATCH] telnet: Fix write buffer overflow (off-by-one check)

bug-inetutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH] telnet: Fix write buffer overflow (off-by-one check)

From:	Tim Rühsen
Subject:	[PATCH] telnet: Fix write buffer overflow (off-by-one check)
Date:	Sun, 16 Feb 2020 19:21:29 +0100

If the DISPLAY variable had exactly 44 bytes, a temporary
string in function 'suboption' was not 0-terminated.
---
 telnet/telnet.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/telnet/telnet.c b/telnet/telnet.c
index 297ae0e4..9f8c871f 100644
--- a/telnet/telnet.c
+++ b/telnet/telnet.c
@@ -1010,7 +1010,7 @@ suboption (void)
           * protocol must remain unsevered.  Check that DP fits in
           * full within TEMP.  Otherwise report buffer error.
           */
-         if (strlen (dp) > sizeof (temp) - 4 - 2)
+         if (strlen (dp) >= sizeof (temp) - 4 - 2)
            {
              printf ("lm_will: not enough room in buffer\n");
              break;
--
2.25.0

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH] telnet: Fix write buffer overflow (off-by-one check), Tim Rühsen <=
- Re: [PATCH] telnet: Fix write buffer overflow (off-by-one check), Tim Rühsen, 2020/02/16

Prev by Date: [PATCH] ftpd: Fix multiple definition of 'errcatch' (gcc 10)
Next by Date: [PATCH] rcp: Remove unused variable
Previous by thread: [PATCH] ftpd: Fix multiple definition of 'errcatch' (gcc 10)
Next by thread: Re: [PATCH] telnet: Fix write buffer overflow (off-by-one check)
Index(es):
- Date
- Thread