telnet argv parsing overflow; from YangX92

ok millert
2025-01-10 06:47:55 -08:00 · 2018-09-30 14:35:32 +00:00 · 2018-09-30 14:35:32 +00:00 · e3bf1ad9ca
commit e3bf1ad9ca
parent fbe777cf51
1 changed files with 18 additions and 6 deletions
--- a/usr.bin/telnet/commands.c
+++ b/usr.bin/telnet/commands.c
@ -1,4 +1,4 @@
-/*	$OpenBSD: commands.c,v 1.85 2017/07/19 12:25:52 deraadt Exp $	*/
+/*	$OpenBSD: commands.c,v 1.86 2018/09/30 14:35:32 deraadt Exp $	*/
 /*	$NetBSD: commands.c,v 1.14 1996/03/24 22:03:48 jtk Exp $	*/

 /*
@ -58,19 +58,27 @@ typedef struct {
 	int	needconnect;	/* Do we need to be connected to execute? */
 } Command;

+#define        MAXARGV         20
+
 static char line[256];
 static int margc;
-static char *margv[20];
+static char *margv[MAXARGV+1];

-static void
+static int
 makeargv(void)
 {
    char *cp, *cp2, c;
    char **argp = margv;
+    int ret = 0;

    margc = 0;
    cp = line;
    while ((c = *cp)) {
+        if (margc >= MAXARGV) {
+            printf("too many arguments\n");
+            ret = 1;
+            break;
+        }
 	int inquote = 0;
 	while (isspace((unsigned char)c))
 	    c = *++cp;
@ -105,6 +113,7 @@ makeargv(void)
 	cp++;
    }
    *argp++ = 0;
+    return (ret);
 }

 /*
@ -1703,7 +1712,8 @@ cmdrc(char *m1, char *m2)
 		continue;
 	    gotmachine = 1;
 	}
-	makeargv();
+	if (makeargv())
+	    continue;
 	if (margv[0] == 0)
 	    continue;
 	c = getcmd(margv[0]);
@ -1747,7 +1757,8 @@ tn(int argc, char *argv[])
 	strlcpy(line, "open ", sizeof(line));
 	printf("(to) ");
 	(void) fgets(&line[strlen(line)], sizeof(line) - strlen(line), stdin);
-	makeargv();
+	if (makeargv())
+            return 0;
 	argc = margc;
 	argv = margv;
    }
@ -2017,7 +2028,8 @@ command(int top, char *tbuf, int cnt)
 	}
 	if (line[0] == 0)
 	    break;
-	makeargv();
+	if (makeargv())
+            break;
 	if (margv[0] == 0) {
 	    break;
 	}