telnetd: Validate key length prior to copying into a fixed buffer.
authorPeter Avalos <pavalos@dragonflybsd.org>
Fri, 23 Dec 2011 18:16:31 +0000 (10:16 -0800)
committerPeter Avalos <pavalos@dragonflybsd.org>
Fri, 23 Dec 2011 18:21:41 +0000 (10:21 -0800)
It's possible for a remote attacker to execute arbitrary code with the
privileges of the telnetd daemon (normally root) prior to this fix.
CVE-2011-4862

Obtained-from:   FreeBSD-SA-11:08.telnetd

lib/libtelnet/encrypt.c

index 8b5666d..49f513b 100644 (file)
@@ -714,6 +714,9 @@ encrypt_keyid(struct key_info *kp, unsigned char *keyid, int len)
        int dir = kp->dir;
        int ret = 0;
 
+       if (len > MAXKEYLEN)
+               len = MAXKEYLEN;
+
        if (!(ep = (*kp->getcrypt)(*kp->modep))) {
                if (len == 0)
                        return;