FreeBSD Security Advisory FreeBSD-SA-05:01.telnet
Steve Kiernan
stevek at juniper.net
Thu Mar 31 11:21:06 PST 2005
I was looking at this patch, but there seems to be an error in it:
unsigned char slc_reply[128];
+unsigned char const * const slc_reply_eom = &slc_reply[sizeof(slc_reply)];
unsigned char *slc_replyp;
Should the value for slc_reply_eom not be this instead?
unsigned char const * const slc_reply_eom = &slc_reply[sizeof(slc_reply) - 1];
Considering the conditionals are the following:
+ if (&slc_replyp[6+2] > slc_reply_eom)
+ return;
.. and ..
+ /* The end of negotiation command requires 2 bytes. */
+ if (&slc_replyp[2] > slc_reply_eom)
+ return;
If you don't subtract 1 from the sizeof(slc_reply) or change the
conditional operators to >=, then you could try to write one byte past
the end of the buffer.
--
Steve Kiernan
Juniper Networks
More information about the freebsd-security
mailing list