Re: multiple vendor telnet daemon vulnerability (link)

[Assar Westerlund <assar@sics.se>]

Leif Johansson <leifj@it.su.se> writes:
> I took an amateurish and uninformed look at the telnet code and
> it seemed to me like there was lots of bounds checking beeing
> done on nfrontp and netobuf but someone with better knowledge of 
> the code should probably check this out asap!

Thanks for sending this.  There were actually lots of bounds checking
in the Heimdal version of telnetd.  One problem was however that one
of them was slightly wrong. :-(  This has been fixed in the just
release 0.4c, but if you prefer just applying this fix the patch is
appended below.

/assar

Index: global.c
===================================================================
RCS file: /afs/pdc.kth.se/src/packages/kth-krb/SourceRepository/appl/telnet/telnetd/global.c,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -w -u -w -r1.12 -r1.13
--- global.c	1997/05/11 06:29:59	1.12
+++ global.c	2001/07/19 16:00:42	1.13
@@ -36,7 +36,7 @@
 
 #include "telnetd.h"
 
-RCSID("$Id: global.c,v 1.12 1997/05/11 06:29:59 assar Exp $");
+RCSID("$Id: global.c,v 1.13 2001/07/19 16:00:42 assar Exp $");
 
 /*
  * Telnet server variable declarations
@@ -93,7 +93,7 @@
 output_data (const char *format, ...)
 {
   va_list args;
-  size_t remaining, ret;
+  int remaining, ret;
 
   va_start(args, format);
   remaining = BUFSIZ - (nfrontp - netobuf);
@@ -101,7 +101,7 @@
 		   remaining,
 		   format,
 		   args);
-  nfrontp += ret;
+  nfrontp += min(ret, remaining-1);
   va_end(args);
   return ret;
 }