2003-10-15 Jay Fenlason <fenlason@redhat.com>

        * lib/vty.c: (vty_telnet_option) Remote DoS exists if a telnet
          end-sub-negotation is sent when no sub-negotation data has been
          sent. Return immediately if no sub-negotation is in progress.
          (vty_read) do not attempt to process options if no sub-negotation
          is in progress.

diff --git a/lib/vty.c b/lib/vty.c
index 4e341bf1972559344e042df89616b4565a973155..1c2491221e6a9806507ac7a34eb7f386edb445cc 100644 (file)
--- a/lib/vty.c
+++ b/lib/vty.c
@@ -1140,13 +1140,16 @@ vty_telnet_option (struct vty *vty, unsigned char *buf, int nbytes)
       break;
     case SE: 
       {
-       char *buffer = (char *)vty->sb_buffer->head->data;
-       int length = vty->sb_buffer->length;
+       char *buffer;
+       int length;
 
-       if (buffer == NULL)
+       if (!vty->iac_sb_in_progress)
          return 0;
 
-       if (!vty->iac_sb_in_progress)
+       buffer = (char *)vty->sb_buffer->head->data;
+       length = vty->sb_buffer->length;
+
+       if (buffer == NULL)
          return 0;
 
        if (buffer[0] == '\0')
@@ -1251,7 +1254,6 @@ static int
 vty_read (struct thread *thread)
 {
   int i;
-  int ret;
   int nbytes;
   unsigned char buf[VTY_READ_BUFSIZ];
 
@@ -1288,11 +1290,14 @@ vty_read (struct thread *thread)
       if (vty->iac)
        {
          /* In case of telnet command */
-         ret = vty_telnet_option (vty, buf + i, nbytes - i);
+         int ret = 0;
+         if (vty->iac_sb_in_progress)
+           ret = vty_telnet_option (vty, buf + i, nbytes - i);
          vty->iac = 0;
          i += ret;
          continue;
        }
+               
 
       if (vty->status == VTY_MORE)
        {