Fix error handling for read from stdin in attach.c

attach.c did not correctly handle a read from stdin when read returned
an error. The code assigned the return value of read to pkt.len (an
unsigned char) before checking the value. This prevented the error check
from working correctly, since an unsigned integer can never be < 0.

A packet with an invalid length was then sent to the master, which then
sent 255 bytes of garbage to the program.

Fix the bug in attach.c and the unchecked packet length bug in master.c.

Report and initial patch by Enrico Scholz.

2 files changed, 10 insertions, 3 deletions

diff --git a/attach.c b/attach.c
index 99e101d..059b510 100644
--- a/attach.c
+++ b/attach.c
@@ -237,12 +237,16 @@ attach_main(int noerror)
 		/* stdin activity */
 		if (n > 0 && FD_ISSET(0, &readfds))
 		{
+			ssize_t len;
+
 			pkt.type = MSG_PUSH;
 			memset(pkt.u.buf, 0, sizeof(pkt.u.buf));
-			pkt.len = read(0, pkt.u.buf, sizeof(pkt.u.buf));
+			len = read(0, pkt.u.buf, sizeof(pkt.u.buf));
 
-			if (pkt.len <= 0)
+			if (len <= 0)
 				exit(1);
+
+			pkt.len = len;
 			process_kbd(s, &pkt);
 			n--;
 		}
diff --git a/master.c b/master.c
index e65d269..e0351bd 100644
--- a/master.c
+++ b/master.c
@@ -351,7 +351,10 @@ client_activity(struct client *p)
 
 	/* Push out data to the program. */
 	if (pkt.type == MSG_PUSH)
-		write(the_pty.fd, pkt.u.buf, pkt.len);
+	{
+		if (pkt.len <= sizeof(pkt.u.buf))
+			write(the_pty.fd, pkt.u.buf, pkt.len);
+	}
 
 	/* Attach or detach from the program. */
 	else if (pkt.type == MSG_ATTACH)