summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorpaul <paul>2003-10-15 23:08:55 +0000
committerpaul <paul>2003-10-15 23:08:55 +0000
commit5b8c1b0d6af736b0633309b4b3490298b9a20742 (patch)
tree9ffdf1bfbb4d4ecc5d3a26e265fbc98c9869ed96
parent79ad27982af1440a841298b684d94732ae07d003 (diff)
2003-10-15 Jay Fenlason <fenlason@redhat.com>
* lib/vty.c: (vty_telnet_option) Remote DoS exists if a telnet end-sub-negotation is sent when no sub-negotation data has been sent. Return immediately if no sub-negotation is in progress. (vty_read) do not attempt to process options if no sub-negotation is in progress.
-rw-r--r--lib/vty.c17
1 files changed, 11 insertions, 6 deletions
diff --git a/lib/vty.c b/lib/vty.c
index 4e341bf1..1c249122 100644
--- a/lib/vty.c
+++ b/lib/vty.c
@@ -1140,13 +1140,16 @@ vty_telnet_option (struct vty *vty, unsigned char *buf, int nbytes)
break;
case SE:
{
- char *buffer = (char *)vty->sb_buffer->head->data;
- int length = vty->sb_buffer->length;
+ char *buffer;
+ int length;
- if (buffer == NULL)
+ if (!vty->iac_sb_in_progress)
return 0;
- if (!vty->iac_sb_in_progress)
+ buffer = (char *)vty->sb_buffer->head->data;
+ length = vty->sb_buffer->length;
+
+ if (buffer == NULL)
return 0;
if (buffer[0] == '\0')
@@ -1251,7 +1254,6 @@ static int
vty_read (struct thread *thread)
{
int i;
- int ret;
int nbytes;
unsigned char buf[VTY_READ_BUFSIZ];
@@ -1288,11 +1290,14 @@ vty_read (struct thread *thread)
if (vty->iac)
{
/* In case of telnet command */
- ret = vty_telnet_option (vty, buf + i, nbytes - i);
+ int ret = 0;
+ if (vty->iac_sb_in_progress)
+ ret = vty_telnet_option (vty, buf + i, nbytes - i);
vty->iac = 0;
i += ret;
continue;
}
+
if (vty->status == VTY_MORE)
{