network_cmds-176.4.1.tar.gz

diff --git a/telnet.tproj/telnet.c b/telnet.tproj/telnet.c
index 3f4ccba8eab7e1801af12dd921fd79b0971c5252..8527f132d4f6e44e848fcb31c66d317846a9a088 100644 (file)
--- a/telnet.tproj/telnet.c
+++ b/telnet.tproj/telnet.c
@@ -1324,6 +1324,7 @@ slc_check(void)
 }
 
 unsigned char slc_reply[128];
+unsigned char const * const slc_reply_eom = &slc_reply[sizeof(slc_reply)];
 unsigned char *slc_replyp;
 
 void
@@ -1339,6 +1340,14 @@ slc_start_reply(void)
 void
 slc_add_reply(unsigned char func, unsigned char flags, cc_t value)
 {
+       /* A sequence of up to 6 bytes my be written for this member of the SLC
+       * suboption list by this function.  The end of negotiation command,
+       * which is written by slc_end_reply(), will require 2 additional
+       * bytes.  Do not proceed unless there is sufficient space for these
+       * items.
+       */
+       if (&slc_replyp[6+2] > slc_reply_eom)
+               return;
        if ((*slc_replyp++ = func) == IAC)
                *slc_replyp++ = IAC;
        if ((*slc_replyp++ = flags) == IAC)
@@ -1523,11 +1532,11 @@ env_opt_add(unsigned char *ep)
                return;
        }
        vp = env_getvalue(ep);
-       if (opt_replyp + (vp ? strlen((char *)vp) : 0) +
-                               strlen((char *)ep) + 6 > opt_replyend)
+       if (opt_replyp + 2*(vp ? strlen((char *)vp) : 0) +
+                               2*strlen((char *)ep) + 6 > opt_replyend)
        {
                int len;
-               opt_replyend += OPT_REPLY_SIZE;
+               opt_replyend += OPT_REPLY_SIZE + 2*strlen((char *)ep) + 2*(vp ? strlen((char *)vp) : 0);
                len = opt_replyend - opt_reply;
                opt_reply = (unsigned char *)realloc(opt_reply, len);
                if (opt_reply == NULL) {