[ipfire-2.x.git] / src / patches / telnet-0.17-CAN-2005-468_469.patch

--- netkit-telnet-0.17/telnet/telnet.c.CAN-2005-468_469	2005-03-17 13:48:58.000000000 +0100
+++ netkit-telnet-0.17/telnet/telnet.c	2005-03-17 14:02:27.000000000 +0100
@@ -1310,22 +1310,66 @@
 }
 
 
-unsigned char slc_reply[128];
+#define SLC_REPLY_SIZE 128
+unsigned char *slc_reply;
 unsigned char *slc_replyp;
+unsigned char *slc_replyend;
 
 	void
 slc_start_reply(void)
 {
+        slc_reply = (unsigned char *)malloc(SLC_REPLY_SIZE);
+        if (slc_reply == NULL) {
+/*@*/           printf("slc_start_reply: malloc()/realloc() failed!!!\n");
+                slc_reply = slc_replyp = slc_replyend = NULL;
+                return;
+	}
+
 	slc_replyp = slc_reply;
+	slc_replyend = slc_reply + SLC_REPLY_SIZE;
 	*slc_replyp++ = IAC;
 	*slc_replyp++ = SB;
 	*slc_replyp++ = TELOPT_LINEMODE;
 	*slc_replyp++ = LM_SLC;
 }
 
+static int
+slc_assure_buffer(int want_len);
+
+	static int
+slc_assure_buffer(int want_len)
+{
+        if ((slc_replyp + want_len) >= slc_replyend) {
+                int len;
+		int old_len = slc_replyp - slc_reply;
+		unsigned char *p;
+
+                len = old_len
+			+ (want_len / SLC_REPLY_SIZE + 1) * SLC_REPLY_SIZE;
+                p = (unsigned char *)realloc(slc_reply, len);
+                if (p == NULL)
+                        free(slc_reply);
+                slc_reply = p;
+                if (slc_reply == NULL) {
+/*@*/                   printf("slc_add_reply: realloc() failed!!!\n");
+                        slc_reply = slc_replyp = slc_replyend = NULL;
+                        return 1;
+                }
+                slc_replyp = slc_reply + old_len;
+                slc_replyend = slc_reply + len;
+        }
+	return 0;
+}
+
 	void
 slc_add_reply(unsigned char func, unsigned char flags, cc_t value)
 {
+	if (slc_assure_buffer(6))
+		return;
+
+	if (slc_replyp == NULL)
+		return;
+
 	if ((*slc_replyp++ = func) == IAC)
 		*slc_replyp++ = IAC;
 	if ((*slc_replyp++ = flags) == IAC)
@@ -1339,6 +1383,12 @@
 {
     int len;
 
+    if (slc_assure_buffer(2))
+	return;
+
+    if (slc_replyp == NULL)
+	return;
+
     *slc_replyp++ = IAC;
     *slc_replyp++ = SE;
     len = slc_replyp - slc_reply;
@@ -1456,7 +1506,7 @@
 	}
 }
 
-#define	OPT_REPLY_SIZE	256
+#define	OPT_REPLY_SIZE	1024
 unsigned char *opt_reply;
 unsigned char *opt_replyp;
 unsigned char *opt_replyend;
@@ -1490,10 +1540,38 @@
 env_opt_start_info(void)
 {
 	env_opt_start();
-	if (opt_replyp)
+	if (opt_replyp && (opt_replyp > opt_reply))
 	    opt_replyp[-1] = TELQUAL_INFO;
 }
 
+static int
+env_opt_assure_buffer(int want_len);
+
+	static int
+env_opt_assure_buffer(int want_len)
+{
+        if ((opt_replyp + want_len) >= opt_replyend) {
+		int len;
+		unsigned char *p;
+		int old_len = opt_replyp - opt_reply;
+
+		len = old_len
+			+ (want_len / OPT_REPLY_SIZE + 1) * OPT_REPLY_SIZE;
+		p = (unsigned char *)realloc(opt_reply, len);
+		if (p == NULL)
+			free(opt_reply);
+		opt_reply = p;
+		if (opt_reply == NULL) {
+/*@*/			printf("env_opt_add: realloc() failed!!!\n");
+			opt_reply = opt_replyp = opt_replyend = NULL;
+			return 1;
+		}
+		opt_replyp = opt_reply + old_len;
+		opt_replyend = opt_reply + len;
+	}
+	return 0;
+}
+
 	void
 env_opt_add(unsigned char *ep)
 {
@@ -1515,25 +1593,12 @@
 		return;
 	}
 	vp = env_getvalue(ep, 1);
-	if (opt_replyp + (vp ? strlen((char *)vp) : 0) +
-				strlen((char *)ep) + 6 > opt_replyend)
-	{
-		int len;
-		unsigned char *p;
-		opt_replyend += OPT_REPLY_SIZE;
-		len = opt_replyend - opt_reply;
-		p = (unsigned char *)realloc(opt_reply, len);
-		if (p == NULL)
-			free(opt_reply);
-		opt_reply = p;
-		if (opt_reply == NULL) {
-/*@*/			printf("env_opt_add: realloc() failed!!!\n");
-			opt_reply = opt_replyp = opt_replyend = NULL;
-			return;
-		}
-		opt_replyp = opt_reply + len - (opt_replyend - opt_replyp);
-		opt_replyend = opt_reply + len;
-	}
+
+	/* use the double length in case it gots escaped */
+	if (env_opt_assure_buffer((vp ? strlen((char *)vp)*2 : 0) +
+				strlen((char *)ep)*2 + 6))
+		return;
+
 	if (opt_welldefined((char *)ep))
 #ifdef	OLD_ENVIRON
 		if (telopt_environ == TELOPT_OLD_ENVIRON)
@@ -1588,8 +1653,14 @@
 {
 	int len;
 
+        if (opt_reply == NULL)          /*XXX*/
+                return;                 /*XXX*/
+
+
 	len = opt_replyp - opt_reply + 2;
 	if (emptyok || len > 6) {
+		if (env_opt_assure_buffer(2))
+			return;
 		*opt_replyp++ = IAC;
 		*opt_replyp++ = SE;
 		if (NETROOM() > len) {
Commit	Line	Data
b52f6eb2 DW	1	--- netkit-telnet-0.17/telnet/telnet.c.CAN-2005-468_469 2005-03-17 13:48:58.000000000 +0100
	2	+++ netkit-telnet-0.17/telnet/telnet.c 2005-03-17 14:02:27.000000000 +0100
	3	@@ -1310,22 +1310,66 @@
	4	}
	5
	6
	7	-unsigned char slc_reply[128];
	8	+#define SLC_REPLY_SIZE 128
	9	+unsigned char *slc_reply;
	10	unsigned char *slc_replyp;
	11	+unsigned char *slc_replyend;
	12
	13	void
	14	slc_start_reply(void)
	15	{
	16	+ slc_reply = (unsigned char *)malloc(SLC_REPLY_SIZE);
	17	+ if (slc_reply == NULL) {
	18	+/@/ printf("slc_start_reply: malloc()/realloc() failed!!!\n");
	19	+ slc_reply = slc_replyp = slc_replyend = NULL;
	20	+ return;
	21	+ }
	22	+
	23	slc_replyp = slc_reply;
	24	+ slc_replyend = slc_reply + SLC_REPLY_SIZE;
	25	*slc_replyp++ = IAC;
	26	*slc_replyp++ = SB;
	27	*slc_replyp++ = TELOPT_LINEMODE;
	28	*slc_replyp++ = LM_SLC;
	29	}
	30
	31	+static int
	32	+slc_assure_buffer(int want_len);
	33	+
	34	+ static int
	35	+slc_assure_buffer(int want_len)
	36	+{
	37	+ if ((slc_replyp + want_len) >= slc_replyend) {
	38	+ int len;
	39	+ int old_len = slc_replyp - slc_reply;
	40	+ unsigned char *p;
	41	+
	42	+ len = old_len
	43	+ + (want_len / SLC_REPLY_SIZE + 1) * SLC_REPLY_SIZE;
	44	+ p = (unsigned char *)realloc(slc_reply, len);
	45	+ if (p == NULL)
	46	+ free(slc_reply);
	47	+ slc_reply = p;
	48	+ if (slc_reply == NULL) {
	49	+/@/ printf("slc_add_reply: realloc() failed!!!\n");
	50	+ slc_reply = slc_replyp = slc_replyend = NULL;
	51	+ return 1;
	52	+ }
	53	+ slc_replyp = slc_reply + old_len;
	54	+ slc_replyend = slc_reply + len;
	55	+ }
	56	+ return 0;
	57	+}
	58	+
	59	void
	60	slc_add_reply(unsigned char func, unsigned char flags, cc_t value)
	61	{
	62	+ if (slc_assure_buffer(6))
	63	+ return;
	64	+
65	+ if (slc_replyp == NULL)
66	+ return;
67	+
68	if ((*slc_replyp++ = func) == IAC)
69	*slc_replyp++ = IAC;
70	if ((*slc_replyp++ = flags) == IAC)
71	@@ -1339,6 +1383,12 @@
72	{
73	int len;
74
75	+ if (slc_assure_buffer(2))
76	+ return;
77	+
78	+ if (slc_replyp == NULL)
79	+ return;
80	+
81	*slc_replyp++ = IAC;
82	*slc_replyp++ = SE;
83	len = slc_replyp - slc_reply;
84	@@ -1456,7 +1506,7 @@
85	}
86	}
87
88	-#define OPT_REPLY_SIZE 256
89	+#define OPT_REPLY_SIZE 1024
90	unsigned char *opt_reply;
91	unsigned char *opt_replyp;
92	unsigned char *opt_replyend;
93	@@ -1490,10 +1540,38 @@
94	env_opt_start_info(void)
95	{
96	env_opt_start();
97	- if (opt_replyp)
98	+ if (opt_replyp && (opt_replyp > opt_reply))
99	opt_replyp[-1] = TELQUAL_INFO;
100	}
101
102	+static int
103	+env_opt_assure_buffer(int want_len);
104	+
105	+ static int
106	+env_opt_assure_buffer(int want_len)
107	+{
108	+ if ((opt_replyp + want_len) >= opt_replyend) {
109	+ int len;
110	+ unsigned char *p;
111	+ int old_len = opt_replyp - opt_reply;
112	+
113	+ len = old_len
114	+ + (want_len / OPT_REPLY_SIZE + 1) * OPT_REPLY_SIZE;
115	+ p = (unsigned char *)realloc(opt_reply, len);
116	+ if (p == NULL)
117	+ free(opt_reply);
118	+ opt_reply = p;
119	+ if (opt_reply == NULL) {
120	+/@/ printf("env_opt_add: realloc() failed!!!\n");
121	+ opt_reply = opt_replyp = opt_replyend = NULL;
122	+ return 1;
123	+ }
124	+ opt_replyp = opt_reply + old_len;
125	+ opt_replyend = opt_reply + len;
126	+ }
127	+ return 0;
128	+}
129	+
130	void
131	env_opt_add(unsigned char *ep)
132	{
133	@@ -1515,25 +1593,12 @@
134	return;
135	}
136	vp = env_getvalue(ep, 1);
137	- if (opt_replyp + (vp ? strlen((char *)vp) : 0) +
138	- strlen((char *)ep) + 6 > opt_replyend)
139	- {
140	- int len;
141	- unsigned char *p;
142	- opt_replyend += OPT_REPLY_SIZE;
143	- len = opt_replyend - opt_reply;
144	- p = (unsigned char *)realloc(opt_reply, len);
145	- if (p == NULL)
146	- free(opt_reply);
147	- opt_reply = p;
148	- if (opt_reply == NULL) {
149	-/@/ printf("env_opt_add: realloc() failed!!!\n");
150	- opt_reply = opt_replyp = opt_replyend = NULL;
151	- return;
152	- }
153	- opt_replyp = opt_reply + len - (opt_replyend - opt_replyp);
154	- opt_replyend = opt_reply + len;
155	- }
156	+
157	+ /* use the double length in case it gots escaped */
158	+ if (env_opt_assure_buffer((vp ? strlen((char )vp)2 : 0) +
159	+ strlen((char )ep)2 + 6))
160	+ return;
161	+
162	if (opt_welldefined((char *)ep))
163	#ifdef OLD_ENVIRON
164	if (telopt_environ == TELOPT_OLD_ENVIRON)
165	@@ -1588,8 +1653,14 @@
166	{
167	int len;
168
169	+ if (opt_reply == NULL) /XXX/
170	+ return; /XXX/
171	+
172	+
173	len = opt_replyp - opt_reply + 2;
174	if (emptyok \|\| len > 6) {
175	+ if (env_opt_assure_buffer(2))
176	+ return;
177	*opt_replyp++ = IAC;
178	*opt_replyp++ = SE;
179	if (NETROOM() > len) {