From 13e3575d4e8e044ccb21d64d1cb637fdb99b6bfd Mon Sep 17 00:00:00 2001
From: gordon <gordon@FreeBSD.org>
Date: Wed, 24 Jul 2019 12:51:52 +0000
Subject: [PATCH] Fix multiple telnet client vulnerabilities.

Approved by:	so
Security:	FreeBSD-SA-19:12.telnet
Security:	CVE-2019-0053
---
 contrib/telnet/telnet/commands.c  | 14 +++++++++-----
 contrib/telnet/telnet/telnet.c    |  4 ++--
 contrib/telnet/telnet/utilities.c |  2 +-
 3 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/contrib/telnet/telnet/commands.c b/contrib/telnet/telnet/commands.c
index 02a0de524d3..c6dc4ca064b 100644
--- a/contrib/telnet/telnet/commands.c
+++ b/contrib/telnet/telnet/commands.c
@@ -45,6 +45,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/socket.h>
 #include <netinet/in.h>
 
+#include <assert.h>
 #include <ctype.h>
 #include <err.h>
 #include <errno.h>
@@ -1654,11 +1655,14 @@ env_init(void)
 		|| (strncmp((char *)ep->value, "unix:", 5) == 0))) {
 		char hbuf[256+1];
 		char *cp2 = strchr((char *)ep->value, ':');
-
-		gethostname(hbuf, 256);
-		hbuf[256] = '\0';
-		cp = (char *)malloc(strlen(hbuf) + strlen(cp2) + 1);
-		sprintf((char *)cp, "%s%s", hbuf, cp2);
+                size_t buflen;
+
+		gethostname(hbuf, sizeof(hbuf));
+		hbuf[sizeof(hbuf)-1] = '\0';
+ 		buflen = strlen(hbuf) + strlen(cp2) + 1;
+		cp = (char *)malloc(sizeof(char)*buflen);
+		assert(cp != NULL);
+		snprintf((char *)cp, buflen, "%s%s", hbuf, cp2);
 		free(ep->value);
 		ep->value = (unsigned char *)cp;
 	}
diff --git a/contrib/telnet/telnet/telnet.c b/contrib/telnet/telnet/telnet.c
index 80f43b2fc0a..33a2ed5335a 100644
--- a/contrib/telnet/telnet/telnet.c
+++ b/contrib/telnet/telnet/telnet.c
@@ -785,7 +785,7 @@ suboption(void)
 	    name = gettermname();
 	    len = strlen(name) + 4 + 2;
 	    if (len < NETROOM()) {
-		sprintf(temp, "%c%c%c%c%s%c%c", IAC, SB, TELOPT_TTYPE,
+		snprintf(temp, sizeof(temp), "%c%c%c%c%s%c%c", IAC, SB, TELOPT_TTYPE,
 				TELQUAL_IS, name, IAC, SE);
 		ring_supply_data(&netoring, temp, len);
 		printsub('>', &temp[2], len-2);
@@ -807,7 +807,7 @@ suboption(void)
 
 	    TerminalSpeeds(&ispeed, &ospeed);
 
-	    sprintf((char *)temp, "%c%c%c%c%ld,%ld%c%c", IAC, SB, TELOPT_TSPEED,
+	    snprintf((char *)temp, sizeof(temp), "%c%c%c%c%ld,%ld%c%c", IAC, SB, TELOPT_TSPEED,
 		    TELQUAL_IS, ospeed, ispeed, IAC, SE);
 	    len = strlen((char *)temp+4) + 4;	/* temp[3] is 0 ... */
 
diff --git a/contrib/telnet/telnet/utilities.c b/contrib/telnet/telnet/utilities.c
index 8d1ea2aee91..f10c04068a2 100644
--- a/contrib/telnet/telnet/utilities.c
+++ b/contrib/telnet/telnet/utilities.c
@@ -629,7 +629,7 @@ printsub(char direction, unsigned char *pointer, int length)
 		}
 		{
 		    char tbuf[64];
-		    sprintf(tbuf, "%s%s%s%s%s",
+		    snprintf(tbuf, sizeof(tbuf), "%s%s%s%s%s",
 			pointer[2]&MODE_EDIT ? "|EDIT" : "",
 			pointer[2]&MODE_TRAPSIG ? "|TRAPSIG" : "",
 			pointer[2]&MODE_SOFT_TAB ? "|SOFT_TAB" : "",
-- 
2.45.0