system/freebsd-src
system/freebsd-src
1
0
Fork 0
mirror of https://github.com/freebsd/freebsd-src synced 2024-07-21 18:27:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

When telnetd(8) composes argument list for login(1), an unexpected sequence

Browse source 
of memory allocation failures combined with insufficient error checking
could result in the construction and execution of an argument sequence that
was not intended.

Fix that treating malloc(3) failures as fatal condition.

Submitted by:	brooks
Security:	FreeBSD-SA-16:36.telnetd
This commit is contained in:
Gleb Smirnoff 2016-12-06 18:50:22 +00:00
parent 0d49655f96
commit f5c44977ff
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=309638
1 changed files with 4 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
contrib/telnet/telnetd/sys_term.c
View file

@ -1159,7 +1159,7 @@ addarg(char **argv, const char *val)
*/
argv = (char **)malloc(sizeof(*argv) * 12);
if (argv == NULL)
return(NULL);
fatal(net, "failure allocating argument space");
*argv++ = (char *)10;
*argv = (char *)0;
}
@ -1170,11 +1170,12 @@ addarg(char **argv, const char *val)
*argv = (char *)((long)(*argv) + 10);
argv = (char **)realloc(argv, sizeof(*argv)*((long)(*argv) + 2));
if (argv == NULL)
return(NULL);
fatal(net, "failure allocating argument space");
argv++;
cpp = &argv[(long)argv[-1] - 10];
}
*cpp++ = strdup(val);
if ((*cpp++ = strdup(val)) == NULL)
fatal(net, "failure allocating argument space");
*cpp = 0;
return(argv);
}