[PATCH 2/3] telnet: Fix TTYPE subnegotiation off-by-one error.

[Erik Auerswald]

Fix off-by-one error in Terminal-Type option subnegotiation if the TERM
variable has exactly 44 bytes.  In this case the SE byte (end of
subnegotiation parameters) was replaced by a NUL byte.  This concerns
the CVE-2019-0053 fixes.  Reported by Erik Auerswald in
<https://lists.gnu.org/archive/html/bug-inetutils/2022-02/msg00004.html>.

* NEWS: Mention fix.
* telnet/telnet.c (suboption): Adjust length check to account for NUL
byte written by snprintf().
---
 NEWS            | 5 +++++
 telnet/telnet.c | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index 166ca457..319bb2f9 100644
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,11 @@ Abort subnegotiation of X Display Location Option with WON'T 
when DISPLAY
 value is too large for buffer.  Reported by Joerg Mayer in
 <https://lists.gnu.org/archive/html/bug-inetutils/2022-01/msg00010.html>.
 
+Fix off-by-one error in Terminal-Type option subnegotiation if the TERM
+variable has exactly 44 bytes.  This concerns the CVE-2019-0053 fixes.
+Reported by Erik Auerswald in
+<https://lists.gnu.org/archive/html/bug-inetutils/2022-02/msg00004.html>.
+
 ** Various bugs fixes, internal improvements and clean ups.
 
 Further cleanup of configure.ac, updates to modern autoconf releases,
diff --git a/telnet/telnet.c b/telnet/telnet.c
index 62c79653..d7e0ad8e 100644
--- a/telnet/telnet.c
+++ b/telnet/telnet.c
@@ -860,7 +860,7 @@ suboption (void)
          name = gettermname ();
          len = strlen (name) + 4 + 2;
 
-         if ((len < NETROOM ()) && (len <= (int) sizeof (temp)))
+         if ((len < NETROOM ()) && (len < (int) sizeof (temp)))
            {
              snprintf ((char *) temp, sizeof (temp), "%c%c%c%c%s%c%c",
                        IAC, SB, TELOPT_TTYPE, TELQUAL_IS,
-- 
In the beginning, there were not enough colors.
                        -- Guy Keren