From owner-svn-src-stable-9@freebsd.org Tue Dec 6 18:52:34 2016 Return-Path: Delivered-To: svn-src-stable-9@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C177AC6AAAC; Tue, 6 Dec 2016 18:52:34 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8D4CB201; Tue, 6 Dec 2016 18:52:34 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uB6IqXd1021191; Tue, 6 Dec 2016 18:52:33 GMT (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uB6IqXY8021190; Tue, 6 Dec 2016 18:52:33 GMT (envelope-from glebius@FreeBSD.org) Message-Id: <201612061852.uB6IqXY8021190@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: glebius set sender to glebius@FreeBSD.org using -f From: Gleb Smirnoff Date: Tue, 6 Dec 2016 18:52:33 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org Subject: svn commit: r309643 - stable/9/contrib/telnet/telnetd X-SVN-Group: stable-9 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable-9@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for only the 9-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Dec 2016 18:52:34 -0000 Author: glebius Date: Tue Dec 6 18:52:33 2016 New Revision: 309643 URL: https://svnweb.freebsd.org/changeset/base/309643 Log: Merge r309638 from head: When telnetd(8) composes argument list for login(1), an unexpected sequence of memory allocation failures combined with insufficient error checking could result in the construction and execution of an argument sequence that was not intended. Fix that treating malloc(3) failures as fatal condition. Submitted by: brooks Security: FreeBSD-SA-16:36.telnetd Modified: stable/9/contrib/telnet/telnetd/sys_term.c Directory Properties: stable/9/ (props changed) stable/9/contrib/ (props changed) stable/9/contrib/telnet/ (props changed) Modified: stable/9/contrib/telnet/telnetd/sys_term.c ============================================================================== --- stable/9/contrib/telnet/telnetd/sys_term.c Tue Dec 6 18:52:18 2016 (r309642) +++ stable/9/contrib/telnet/telnetd/sys_term.c Tue Dec 6 18:52:33 2016 (r309643) @@ -1163,7 +1163,7 @@ addarg(char **argv, const char *val) */ argv = (char **)malloc(sizeof(*argv) * 12); if (argv == NULL) - return(NULL); + fatal(net, "failure allocating argument space"); *argv++ = (char *)10; *argv = (char *)0; } @@ -1174,11 +1174,12 @@ addarg(char **argv, const char *val) *argv = (char *)((long)(*argv) + 10); argv = (char **)realloc(argv, sizeof(*argv)*((long)(*argv) + 2)); if (argv == NULL) - return(NULL); + fatal(net, "failure allocating argument space"); argv++; cpp = &argv[(long)argv[-1] - 10]; } - *cpp++ = strdup(val); + if ((*cpp++ = strdup(val)) == NULL) + fatal(net, "failure allocating argument space"); *cpp = 0; return(argv); }