* sys_term.c (start_login): Bounds check the constructed "speed"

	passed in to login.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@10065 dc483132-0cff-0310-8789-dd5450dbe970

2 files changed, 13 insertions, 2 deletions

diff --git a/src/appl/telnet/telnetd/ChangeLog b/src/appl/telnet/telnetd/ChangeLog
index d64b94d..b8fa48c 100644
--- a/src/appl/telnet/telnetd/ChangeLog
+++ b/src/appl/telnet/telnetd/ChangeLog
@@ -1,3 +1,8 @@
+Wed Apr  9 23:46:40 1997  Tom Yu  <tlyu@mit.edu>
+
+	* sys_term.c (start_login): Bounds check the constructed "speed"
+	passed in to login.
+
 Wed Feb 12 15:22:53 1997  Tom Yu  <tlyu@voltage-multiplier.mit.edu>
 
 	* configure.in: Fix DES425_DEPLIB
diff --git a/src/appl/telnet/telnetd/sys_term.c b/src/appl/telnet/telnetd/sys_term.c
index a7c7ee5..0e5def6 100644
--- a/src/appl/telnet/telnetd/sys_term.c
+++ b/src/appl/telnet/telnetd/sys_term.c
@@ -1289,7 +1289,7 @@ start_login(host, autologin, name)
 
 		if (pty > 2) {
 			register char *cp;
-			char speed[128];
+			char speed[1024];
 			int isecho, israw, xpty, len;
 			extern int def_rspeed;
 #  ifndef LOGIN_HOST
@@ -1326,7 +1326,13 @@ start_login(host, autologin, name)
 			len = strlen(name)+1;
 			write(xpty, name, len);
 			write(xpty, name, len);
-			sprintf(speed, "%s/%d", (cp = getenv("TERM")) ? cp : "",
+			memset(speed, 0, sizeof(speed));
+			strncpy(speed,
+				(cp = getenv("TERM")) ? cp : "",
+				sizeof(speed)-1-(10*sizeof(def_rspeed)/4)-1);
+			/* 1 for /, () for the number, 1 for trailing 0. */
+			sprintf(speed + strlen(speed),
+				"/%d",
 				(def_rspeed > 0) ? def_rspeed : 9600);
 			len = strlen(speed)+1;
 			write(xpty, speed, len);