FreeBSD Bugzilla – Attachment 11965 Details for
Bug 23352
[SECURITY] buffer overflow in opieftpd
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
file.diff
file.diff (text/plain), 1.48 KB, created by
Przemyslaw Frasunek
on 2000-12-07 11:20:01 UTC
(
hide
)
Description:
file.diff
Filename:
MIME Type:
Creator:
Przemyslaw Frasunek
Created:
2000-12-07 11:20:01 UTC
Size:
1.48 KB
patch
obsolete
>--- popen.c.bak Thu Dec 7 12:11:24 2000 >+++ popen.c Thu Dec 7 12:18:04 2000 >@@ -82,10 +82,13 @@ > #include <string.h> > #endif /* HAVE_STRING_H */ > > #include "opie.h" > >+#define MAXUSRARGS 100 >+#define MAXGLOBARGS 1000 >+ > char **ftpglob __P((register char *)); > char **copyblk __P((char **)); > VOIDRET blkfree __P((char **)); > > /* >@@ -101,34 +104,36 @@ > FILE *ftpd_popen FUNCTION((program, type), char *program AND char *type) > { > char *cp; > FILE *iop; > int argc, gargc, pdes[2]; >- char **pop, *argv[100], *gargv[1000], *vv[2]; >+ char **pop, *argv[MAXUSRARGS], *gargv[MAXGLOBARGS], *vv[2]; > > if ((*type != 'r' && *type != 'w') || type[1]) > return (NULL); > > if (pipe(pdes) < 0) > return (NULL); > > /* break up string into pieces */ >- for (argc = 0, cp = program;; cp = NULL) >+ for (argc = 0, cp = program; argc < MAXUSRARGS-1; cp = NULL) { > if (!(argv[argc++] = strtok(cp, " \t\n"))) > break; >+ } >+ argv[argc - 1] = NULL; > > /* glob each piece */ > gargv[0] = argv[0]; >- for (gargc = argc = 1; argv[argc]; argc++) { >+ for (gargc = argc = 1; argv[argc] && gargc < (MAXGLOBARGS-1); argc++) { > if (!(pop = (char **) ftpglob(argv[argc]))) { > /* globbing failed */ > vv[0] = argv[argc]; > vv[1] = NULL; > pop = (char **) copyblk(vv); > } > argv[argc] = (char *) pop; /* save to free later */ >- while (*pop && gargc < 1000) >+ while (*pop && gargc < MAXGLOBARGS-1) > gargv[gargc++] = *pop++; > } > gargv[gargc] = NULL; > > iop = NULL;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=11965">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 23352
: 11965