Date: Tue, 6 Dec 2016 18:50:23 +0000 (UTC) From: Gleb Smirnoff <glebius@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r309638 - head/contrib/telnet/telnetd Message-ID: <201612061850.uB6IoNv2017218@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: glebius Date: Tue Dec 6 18:50:22 2016 New Revision: 309638 URL: https://svnweb.freebsd.org/changeset/base/309638 Log: When telnetd(8) composes argument list for login(1), an unexpected sequence of memory allocation failures combined with insufficient error checking could result in the construction and execution of an argument sequence that was not intended. Fix that treating malloc(3) failures as fatal condition. Submitted by: brooks Security: FreeBSD-SA-16:36.telnetd Modified: head/contrib/telnet/telnetd/sys_term.c Modified: head/contrib/telnet/telnetd/sys_term.c ============================================================================== --- head/contrib/telnet/telnetd/sys_term.c Tue Dec 6 18:50:06 2016 (r309637) +++ head/contrib/telnet/telnetd/sys_term.c Tue Dec 6 18:50:22 2016 (r309638) @@ -1159,7 +1159,7 @@ addarg(char **argv, const char *val) */ argv = (char **)malloc(sizeof(*argv) * 12); if (argv == NULL) - return(NULL); + fatal(net, "failure allocating argument space"); *argv++ = (char *)10; *argv = (char *)0; } @@ -1170,11 +1170,12 @@ addarg(char **argv, const char *val) *argv = (char *)((long)(*argv) + 10); argv = (char **)realloc(argv, sizeof(*argv)*((long)(*argv) + 2)); if (argv == NULL) - return(NULL); + fatal(net, "failure allocating argument space"); argv++; cpp = &argv[(long)argv[-1] - 10]; } - *cpp++ = strdup(val); + if ((*cpp++ = strdup(val)) == NULL) + fatal(net, "failure allocating argument space"); *cpp = 0; return(argv); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201612061850.uB6IoNv2017218>