AmendHub

jcs

/

subtext

/

amendments

/

267

telnet: Add failsafe to avoid sending more than sizeof(obuf)


jcs made amendment 267 3 months ago
--- telnet.c Sat Oct 1 21:16:26 2022 +++ telnet.c Tue Oct 25 16:49:50 2022 @@ -738,9 +738,11 @@ telnet_output(struct session *session) process_result: if (node->tcp_wds[0].length) { /* previous _TCPSend completed, shift out those bytes */ - session->obuflen -= node->obuflen; - if (session->obuflen < 0) + if (session->obuflen < node->obuflen) { warn("bogus obuflen %d", session->obuflen); + session->obuflen = 0; + } else + session->obuflen -= node->obuflen; if (session->obuflen > 0) memmove(session->obuf, session->obuf + node->obuflen, session->obuflen); @@ -772,7 +774,15 @@ process_result: node->obuf[node->escaped_obuflen++] = c; } } - + + if (node->escaped_obuflen > sizeof(node->obuf)) { + warn("bogus obuflen %d > %ld", node->escaped_obuflen, + sizeof(node->obuf)); + session->ending = true; + session_close(session); + return 0; + } + /* * _TCPSend only knows how many wds pointers were passed in when it * reads the next one and its pointer is zero (or size is zero?) @@ -787,7 +797,7 @@ process_result: true); if (error) { warn("TCPSend[%d] failed: %d", node->id, error); - session->ending = 1; + session->ending = true; } /* if we can send in less than 500ms, avoid a uthread switch */