jcs
/subtext
/amendments
/267
telnet: Add failsafe to avoid sending more than sizeof(obuf)
jcs made amendment 267 about 1 year ago
--- telnet.c Sat Oct 1 21:16:26 2022
+++ telnet.c Tue Oct 25 16:49:50 2022
@@ -738,9 +738,11 @@ telnet_output(struct session *session)
process_result:
if (node->tcp_wds[0].length) {
/* previous _TCPSend completed, shift out those bytes */
- session->obuflen -= node->obuflen;
- if (session->obuflen < 0)
+ if (session->obuflen < node->obuflen) {
warn("bogus obuflen %d", session->obuflen);
+ session->obuflen = 0;
+ } else
+ session->obuflen -= node->obuflen;
if (session->obuflen > 0)
memmove(session->obuf, session->obuf + node->obuflen,
session->obuflen);
@@ -772,7 +774,15 @@ process_result:
node->obuf[node->escaped_obuflen++] = c;
}
}
-
+
+ if (node->escaped_obuflen > sizeof(node->obuf)) {
+ warn("bogus obuflen %d > %ld", node->escaped_obuflen,
+ sizeof(node->obuf));
+ session->ending = true;
+ session_close(session);
+ return 0;
+ }
+
/*
* _TCPSend only knows how many wds pointers were passed in when it
* reads the next one and its pointer is zero (or size is zero?)
@@ -787,7 +797,7 @@ process_result:
true);
if (error) {
warn("TCPSend[%d] failed: %d", node->id, error);
- session->ending = 1;
+ session->ending = true;
}
/* if we can send in less than 500ms, avoid a uthread switch */