From: Apple <opensource@apple.com>
Date: Tue, 8 Mar 2005 23:50:54 +0000 (+0000)
Subject: network_cmds-176.4.1.tar.gz
X-Git-Tag: mac-os-x-1039^0
X-Git-Url: https://git.saurik.com/apple/network_cmds.git/commitdiff_plain/d5fe66bd4c9ef1a4f8b498bf03dee22c15508571

network_cmds-176.4.1.tar.gz
---

diff --git a/telnet.tproj/telnet.c b/telnet.tproj/telnet.c
index 3f4ccba..8527f13 100644
--- a/telnet.tproj/telnet.c
+++ b/telnet.tproj/telnet.c
@@ -1324,6 +1324,7 @@ slc_check(void)
 }
 
 unsigned char slc_reply[128];
+unsigned char const * const slc_reply_eom = &slc_reply[sizeof(slc_reply)];
 unsigned char *slc_replyp;
 
 void
@@ -1339,6 +1340,14 @@ slc_start_reply(void)
 void
 slc_add_reply(unsigned char func, unsigned char flags, cc_t value)
 {
+	/* A sequence of up to 6 bytes my be written for this member of the SLC
+	* suboption list by this function.  The end of negotiation command,
+	* which is written by slc_end_reply(), will require 2 additional
+	* bytes.  Do not proceed unless there is sufficient space for these
+	* items.
+	*/
+	if (&slc_replyp[6+2] > slc_reply_eom)
+		return;
 	if ((*slc_replyp++ = func) == IAC)
 		*slc_replyp++ = IAC;
 	if ((*slc_replyp++ = flags) == IAC)
@@ -1523,11 +1532,11 @@ env_opt_add(unsigned char *ep)
 		return;
 	}
 	vp = env_getvalue(ep);
-	if (opt_replyp + (vp ? strlen((char *)vp) : 0) +
-				strlen((char *)ep) + 6 > opt_replyend)
+	if (opt_replyp + 2*(vp ? strlen((char *)vp) : 0) +
+				2*strlen((char *)ep) + 6 > opt_replyend)
 	{
 		int len;
-		opt_replyend += OPT_REPLY_SIZE;
+		opt_replyend += OPT_REPLY_SIZE + 2*strlen((char *)ep) + 2*(vp ? strlen((char *)vp) : 0);
 		len = opt_replyend - opt_reply;
 		opt_reply = (unsigned char *)realloc(opt_reply, len);
 		if (opt_reply == NULL) {