Synopsis: one-byte overrun in replydirname() in ftpd
NetBSD versions: 1.4.3 and earlier
See also: 20001220-ftpd-1.5
Thanks to: Kristian Vlaardingerbroek <
[email protected]>,
Jun-ichiro itojun Hagino <
[email protected]>
Index: libexec/ftpd/ftpd.c
===================================================================
RCS file: /cvsroot/basesrc/libexec/ftpd/ftpd.c,v
retrieving revision 1.61.2.3
retrieving revision 1.61.2.4
diff -u -u -r1.61.2.3 -r1.61.2.4
--- libexec/ftpd/ftpd.c 2000/07/08 18:58:10 1.61.2.3
+++ libexec/ftpd/ftpd.c 2000/12/14 22:33:47 1.61.2.4
@@ -105,7 +105,7 @@
#define FALSE 0
#endif
-const char version[] = "Version: 7.1.0";
+const char version[] = "Version: 7.1.0a";
struct sockaddr_in ctrl_addr;
struct sockaddr_in data_source;
@@ -1418,15 +1418,21 @@
replydirname(name, message)
const char *name, *message;
{
- char npath[MAXPATHLEN + 1];
- int i;
+ char *p, *ep;
+ char npath[MAXPATHLEN];
- for (i = 0; *name != '\0' && i < sizeof(npath) - 1; i++, name++) {
- npath[i] = *name;
- if (*name == '"')
- npath[++i] = '"';
+ p = npath;
+ ep = &npath[sizeof(npath) - 1];
+ while (*name) {
+ if (*name == '"' && ep - p >= 2) {
+ *p++ = *name++;
+ *p++ = '"';
+ } else if (ep - p >= 1)
+ *p++ = *name++;
+ else
+ break;
}
- npath[i] = '\0';
+ *p = '\0';
reply(257, "\"%s\" %s", npath, message);
}
