From owner-freebsd-security@FreeBSD.ORG  Thu Mar 31 19:21:06 2005
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3F38516A4CE
	for <freebsd-security@freebsd.org>;
	Thu, 31 Mar 2005 19:21:06 +0000 (GMT)
Received: from borg.juniper.net (borg.juniper.net [207.17.137.119])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0AE0743D31
	for <freebsd-security@freebsd.org>;
	Thu, 31 Mar 2005 19:21:06 +0000 (GMT)
	(envelope-from stevek@juniper.net)
Received: from unknown (HELO beta.jnpr.net) (172.24.18.109)
  by borg.juniper.net with ESMTP; 31 Mar 2005 11:21:06 -0800
X-BrightmailFiltered: true
X-Brightmail-Tracker: AAAAAA==
X-IronPort-AV: i="3.91,138,1110182400"; 
   d="scan'208"; a="246194384:sNHT19317572"
Received: from stevek-bsd.jnpr.net ([172.25.41.27]) by beta.jnpr.net with
	Microsoft SMTPSVC(6.0.3790.211);	 Thu, 31 Mar 2005 11:21:04 -0800
From: Steve Kiernan <stevek@juniper.net>
To: freebsd-security@freebsd.org
Content-Type: text/plain
Organization: Juniper Networks Inc.
Date: Thu, 31 Mar 2005 14:20:55 -0500
Message-Id: <1112296855.8421.64.camel@localhost>
Mime-Version: 1.0
X-Mailer: Evolution 2.0.2 FreeBSD GNOME Team Port 
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 31 Mar 2005 19:21:05.0286 (UTC)
	FILETIME=[C8A54A60:01C53626]
Subject: FreeBSD Security Advisory FreeBSD-SA-05:01.telnet
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Mar 2005 19:21:06 -0000

I was looking at this patch, but there seems to be an error in it:

 unsigned char slc_reply[128];
+unsigned char const * const slc_reply_eom = &slc_reply[sizeof(slc_reply)];
 unsigned char *slc_replyp;

Should the value for slc_reply_eom not be this instead?

unsigned char const * const slc_reply_eom = &slc_reply[sizeof(slc_reply) - 1];

Considering the conditionals are the following:

+       if (&slc_replyp[6+2] > slc_reply_eom)
+               return;

.. and ..

+    /* The end of negotiation command requires 2 bytes. */
+    if (&slc_replyp[2] > slc_reply_eom)
+            return;

If you don't subtract 1 from the sizeof(slc_reply) or change the
conditional operators to >=, then you could try to write one byte past
the end of the buffer.

--
Steve Kiernan
Juniper Networks