FreeBSD Security Advisory FreeBSD-SA-05:01.telnet

Steve Kiernan stevek at
Thu Mar 31 11:21:06 PST 2005

I was looking at this patch, but there seems to be an error in it:

 unsigned char slc_reply[128];
+unsigned char const * const slc_reply_eom = &slc_reply[sizeof(slc_reply)];
 unsigned char *slc_replyp;

Should the value for slc_reply_eom not be this instead?

unsigned char const * const slc_reply_eom = &slc_reply[sizeof(slc_reply) - 1];

Considering the conditionals are the following:

+       if (&slc_replyp[6+2] > slc_reply_eom)
+               return;

.. and ..

+    /* The end of negotiation command requires 2 bytes. */
+    if (&slc_replyp[2] > slc_reply_eom)
+            return;

If you don't subtract 1 from the sizeof(slc_reply) or change the
conditional operators to >=, then you could try to write one byte past
the end of the buffer.

Steve Kiernan
Juniper Networks

More information about the freebsd-security mailing list