Package: netkit-ftp / 0.17-31

025_long_cmd_overflow.diff Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
Description: Buffer overflow caused by long commands.
 Allocate a sufficient amount of memory to handle
 many arguments.
X-Closes: #391207, #407924
X-Comment: debdiff netkit-ftp_0.17-{16,18}.dsc
 Description interpreted from #407924
Author: Steve Kemp <skx@debian.org>
Forwarded: no
Last-Update: 2008-03-26
diff -u netkit-ftp-0.17/ftp/main.c netkit-ftp-0.17/ftp/main.c
--- netkit-ftp-0.17/ftp/main.c
+++ netkit-ftp-0.17/ftp/main.c
@@ -478,10 +478,24 @@
 char **
 makeargv(int *pargc, char **parg)
 {
-	static char *rargv[20];
+        static char **rargv = NULL;
 	int rargc = 0;
+        int i = 0, count = 0;
 	char **argp;
 
+
+        /* Allocate enough space: err on the side of caution */
+        while ( line[i] != '\0' ) {
+                if ( line[i] == ' ' )
+                        count += 1 ;
+                i+= 1;
+        }
+
+        /* allocate memory for $count-sized array of chars */
+        rargv = (char **) malloc( count * strlen(line));
+   if (rargv == NULL)
+                fatal("Out of memory");
+
 	INTOFF;
 	argbuf = obstack_alloc(&mainobstack, strlen(line) + 1);
 	INTON;