Date: Thu, 31 Mar 2005 14:20:55 -0500 From: Steve Kiernan <stevek@juniper.net> To: freebsd-security@freebsd.org Subject: FreeBSD Security Advisory FreeBSD-SA-05:01.telnet Message-ID: <1112296855.8421.64.camel@localhost>
next in thread | raw e-mail | index | archive | help
I was looking at this patch, but there seems to be an error in it: unsigned char slc_reply[128]; +unsigned char const * const slc_reply_eom = &slc_reply[sizeof(slc_reply)]; unsigned char *slc_replyp; Should the value for slc_reply_eom not be this instead? unsigned char const * const slc_reply_eom = &slc_reply[sizeof(slc_reply) - 1]; Considering the conditionals are the following: + if (&slc_replyp[6+2] > slc_reply_eom) + return; .. and .. + /* The end of negotiation command requires 2 bytes. */ + if (&slc_replyp[2] > slc_reply_eom) + return; If you don't subtract 1 from the sizeof(slc_reply) or change the conditional operators to >=, then you could try to write one byte past the end of the buffer. -- Steve Kiernan Juniper Networks
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1112296855.8421.64.camel>