2003-10-15 Jay Fenlason <fenlason@redhat.com>

* lib/vty.c: (vty_telnet_option) Remote DoS exists if a telnet end-sub-negotation is sent when no sub-negotation data has been sent. Return immediately if no sub-negotation is in progress. (vty_read) do not attempt to process options if no sub-negotation is in progress.
2025-08-09 16:13:51 +00:00 · 2003-10-15 23:08:55 +00:00 · 2003-10-15 23:08:55 +00:00 · 5b8c1b0d6a
commit 5b8c1b0d6a
parent 79ad27982a
1 changed files with 12 additions and 7 deletions
--- a/lib/vty.c
+++ b/lib/vty.c
@ -1140,15 +1140,18 @@ vty_telnet_option (struct vty *vty, unsigned char *buf, int nbytes)
      break;
    case SE: 
      {
-	char *buffer = (char *)vty->sb_buffer->head->data;
+	char *buffer;
-	int length = vty->sb_buffer->length;
+	int length;
 	if (buffer == NULL)
 	  return 0;
 	if (!vty->iac_sb_in_progress)
 	  return 0;
 	buffer = (char *)vty->sb_buffer->head->data;
 	length = vty->sb_buffer->length;
 	if (buffer == NULL)
 	  return 0;
 	if (buffer[0] == '\0')
 	  {
 	    vty->iac_sb_in_progress = 0;
@ -1251,7 +1254,6 @@ static int
 vty_read (struct thread *thread)
 {
  int i;
  int ret;
  int nbytes;
  unsigned char buf[VTY_READ_BUFSIZ];
@ -1288,12 +1290,15 @@ vty_read (struct thread *thread)
      if (vty->iac)
 	{
 	  /* In case of telnet command */
-	  ret = vty_telnet_option (vty, buf + i, nbytes - i);
+	  int ret = 0;
 	  if (vty->iac_sb_in_progress)
 	    ret = vty_telnet_option (vty, buf + i, nbytes - i);
 	  vty->iac = 0;
 	  i += ret;
 	  continue;
 	}
      if (vty->status == VTY_MORE)
 	{
 	  switch (buf[i])