Re: FreeBSD Security Advisory: FreeBSD-SA-00:69.telnetd

[Christos Zoulas <christos () ZOULAS COM>]

On Nov 14,  2:30pm, security-advisories () FREEBSD ORG (FreeBSD Security Advisories) wrote:
-- Subject: FreeBSD Security Advisory: FreeBSD-SA-00:69.telnetd

The code below is incorrect at least on the version of telnetd I
am looking at. A few lines above the uni-diff "line" is declared
to be "extern char *" thus sizeof(line) will return sizeof(char *),
which is not what is clearly wrong. Also the patch is missing a
few more possible buffer overflows that may or may not be significant.

christos

|     --- telnetd.c     2000/01/25 14:52:00     1.22
|     +++ telnetd.c     2000/10/31 05:29:54     1.23
|     @@ -811,7 +811,7 @@
|                       fatal(net, "Out of ptys");
|
|               if ((pty = open(lp, 2)) >= 0) {
|     -                 strcpy(line,lp);
|     +                 strlcpy(line,lp,sizeof(line));
|                       line[5] = 't';
|                       break;
|               }