svn commit: r309638 - head/contrib/telnet/telnetd
Gleb Smirnoff
glebius at FreeBSD.org
Tue Dec 6 18:50:24 UTC 2016
Author: glebius
Date: Tue Dec 6 18:50:22 2016
New Revision: 309638
URL: https://svnweb.freebsd.org/changeset/base/309638
Log:
When telnetd(8) composes argument list for login(1), an unexpected sequence
of memory allocation failures combined with insufficient error checking
could result in the construction and execution of an argument sequence that
was not intended.
Fix that treating malloc(3) failures as fatal condition.
Submitted by: brooks
Security: FreeBSD-SA-16:36.telnetd
Modified:
head/contrib/telnet/telnetd/sys_term.c
Modified: head/contrib/telnet/telnetd/sys_term.c
==============================================================================
--- head/contrib/telnet/telnetd/sys_term.c Tue Dec 6 18:50:06 2016 (r309637)
+++ head/contrib/telnet/telnetd/sys_term.c Tue Dec 6 18:50:22 2016 (r309638)
@@ -1159,7 +1159,7 @@ addarg(char **argv, const char *val)
*/
argv = (char **)malloc(sizeof(*argv) * 12);
if (argv == NULL)
- return(NULL);
+ fatal(net, "failure allocating argument space");
*argv++ = (char *)10;
*argv = (char *)0;
}
@@ -1170,11 +1170,12 @@ addarg(char **argv, const char *val)
*argv = (char *)((long)(*argv) + 10);
argv = (char **)realloc(argv, sizeof(*argv)*((long)(*argv) + 2));
if (argv == NULL)
- return(NULL);
+ fatal(net, "failure allocating argument space");
argv++;
cpp = &argv[(long)argv[-1] - 10];
}
- *cpp++ = strdup(val);
+ if ((*cpp++ = strdup(val)) == NULL)
+ fatal(net, "failure allocating argument space");
*cpp = 0;
return(argv);
}
More information about the svn-src-all
mailing list