Synopsis: telnetd(8) options overflow
NetBSD versions: 1.3, 1.4, 1.4.1, 1.4.2, 1.4.3, 1.5, 1.5.1, -current
Thanks to: David Maxwell
Reported in NetBSD Security Advisory: NetBSD-SA2001-012

*** telnetd.c.orig	Thu Jul 19 17:03:57 2001
--- telnetd.c	Thu Jul 19 17:04:10 2001
*************** recv_ayt()
*** 1697,1704 ****
  		return;
  	}
  #endif
! 	(void) strcpy(nfrontp, "\r\n[Yes]\r\n");
! 	nfrontp += 9;
  }
  
  	void
--- 1697,1711 ----
  		return;
  	}
  #endif
! 	/* Flush outstanding data if possible. If not, and buffers are
! 	   full, break protocol and send no reply, rather than overflow
! 	   the buffer.
! 	 */
! 	netflush();
! 	if ( (BUFSIZ - (nfrontp - netobuf)) > 9 ) {
! 		(void) strcpy(nfrontp, "\r\n[Yes]\r\n");
! 		nfrontp += 9;
! 	}
  }
  
  	void