From e2decfa00070772e0f0eb2531bad6efdb84a403b Mon Sep 17 00:00:00 2001
From: Peter Avalos <pavalos@dragonflybsd.org>
Date: Fri, 23 Dec 2011 10:16:31 -0800
Subject: [PATCH] telnetd:  Validate key length prior to copying into a fixed
 buffer.

It's possible for a remote attacker to execute arbitrary code with the
privileges of the telnetd daemon (normally root) prior to this fix.
CVE-2011-4862

Obtained-from:   FreeBSD-SA-11:08.telnetd
---
 lib/libtelnet/encrypt.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/libtelnet/encrypt.c b/lib/libtelnet/encrypt.c
index 8b5666d956..49f513be82 100644
--- a/lib/libtelnet/encrypt.c
+++ b/lib/libtelnet/encrypt.c
@@ -714,6 +714,9 @@ encrypt_keyid(struct key_info *kp, unsigned char *keyid, int len)
 	int dir = kp->dir;
 	int ret = 0;
 
+	if (len > MAXKEYLEN)
+		len = MAXKEYLEN;
+
 	if (!(ep = (*kp->getcrypt)(*kp->modep))) {
 		if (len == 0)
 			return;
-- 
2.41.0