From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 13 Jan 2025 11:16:19 +0000 (+0100)
Subject: telnet: handle single-byte input option
X-Git-Tag: curl-8_12_0~132
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=02ba03938f9f91e1b96b8a9223aa5bc183550f8a;p=thirdparty%2Fcurl.git

telnet: handle single-byte input option

Coverity CID 1638753 correctly identies this code misbehaved if the
passed in suboption is exactly one byte long by substracting two from
the unsigned size_t variable.

Closes #15987
---

diff --git a/lib/telnet.c b/lib/telnet.c
index 64d552d159..4a7f6d060d 100644
--- a/lib/telnet.c
+++ b/lib/telnet.c
@@ -695,7 +695,10 @@ static void printsub(struct Curl_easy *data,
           infof(data, ", not IAC SE) ");
         }
       }
-      length -= 2;
+      if(length >= 2)
+        length -= 2;
+      else /* bad input */
+        return;
     }
     if(length < 1) {
       infof(data, "(Empty suboption?)");