FreeBSD Bugzilla – Attachment 12945 Details for
Bug 24810
kerberosIV and heimdal ftpd is vulnerable to buffer overflow
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
file.diff
file.diff (text/plain), 2.78 KB, created by
Przemyslaw Frasunek
on 2001-02-02 23:40:00 UTC
(
hide
)
Description:
file.diff
Filename:
MIME Type:
Creator:
Przemyslaw Frasunek
Created:
2001-02-02 23:40:00 UTC
Size:
2.78 KB
patch
obsolete
>--- crypto/heimdal/appl/ftp/ftpd/popen.c.orig Sat Feb 3 00:20:07 2001 >+++ crypto/heimdal/appl/ftp/ftpd/popen.c Sat Feb 3 00:23:10 2001 >@@ -66,6 +66,9 @@ > > #include <roken.h> > >+#define MAXUSRARGS 100 >+#define MAXGLOBARGS 1000 >+ > /* > * Special version of popen which avoids call to shell. This ensures > * no one may create a pipe to a hidden program as a side effect of a >@@ -103,7 +106,7 @@ > char *cp; > FILE *iop; > int argc, gargc, pdes[2], pid; >- char **pop, *argv[100], *gargv[1000]; >+ char **pop, *argv[MAXUSRARGS], *gargv[MAXGLOBARGS]; > char *foo; > > if (strcmp(type, "r") && strcmp(type, "w")) >@@ -126,14 +129,14 @@ > > /* break up string into pieces */ > foo = NULL; >- for (argc = 0, cp = program;; cp = NULL) { >+ for (argc = 0, cp = program; argc < MAXUSRARGS; cp = NULL) { > if (!(argv[argc++] = strtok_r(cp, " \t\n", &foo))) > break; > } > > gargv[0] = (char*)ftp_rooted(argv[0]); > /* glob each piece */ >- for (gargc = argc = 1; argv[argc]; argc++) { >+ for (gargc = argc = 1; argv[argc] && gargc < (MAXGLOBARGS-1); argc++) { > glob_t gl; > int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE; > >@@ -141,7 +144,7 @@ > if (no_glob || glob(argv[argc], flags, NULL, &gl)) > gargv[gargc++] = strdup(argv[argc]); > else >- for (pop = gl.gl_pathv; *pop; pop++) >+ for (pop = gl.gl_pathv; *pop && gargc < (MAXGLOBARGS-1); pop++) > gargv[gargc++] = strdup(*pop); > globfree(&gl); > } >--- crypto/kerberosIV/appl/ftp/ftpd/popen.c.orig Sat Feb 3 00:26:04 2001 >+++ crypto/kerberosIV/appl/ftp/ftpd/popen.c Sat Feb 3 00:24:25 2001 >@@ -66,6 +66,9 @@ > > #include <roken.h> > >+#define MAXUSRARGS 100 >+#define MAXGLOBARGS 1000 >+ > /* > * Special version of popen which avoids call to shell. This ensures > * no one may create a pipe to a hidden program as a side effect of a >@@ -103,7 +106,7 @@ > char *cp; > FILE *iop; > int argc, gargc, pdes[2], pid; >- char **pop, *argv[100], *gargv[1000]; >+ char **pop, *argv[MAXUSRARGS], *gargv[MAXGLOBARGS]; > char *foo; > > if (strcmp(type, "r") && strcmp(type, "w")) >@@ -126,14 +129,14 @@ > > /* break up string into pieces */ > foo = NULL; >- for (argc = 0, cp = program;; cp = NULL) { >+ for (argc = 0, cp = program; argc < MAXUSRARGS; cp = NULL) { > if (!(argv[argc++] = strtok_r(cp, " \t\n", &foo))) > break; > } > > gargv[0] = (char*)ftp_rooted(argv[0]); > /* glob each piece */ >- for (gargc = argc = 1; argv[argc]; argc++) { >+ for (gargc = argc = 1; argv[argc] && gargc < (MAXGLOBARGS-1); argc++) { > glob_t gl; > int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE; > >@@ -141,7 +144,7 @@ > if (no_glob || glob(argv[argc], flags, NULL, &gl)) > gargv[gargc++] = strdup(argv[argc]); > else >- for (pop = gl.gl_pathv; *pop; pop++) >+ for (pop = gl.gl_pathv; *pop && gargc < (MAXGLOBARGS-1); pop++) > gargv[gargc++] = strdup(*pop); > globfree(&gl); > }
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=12945">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 24810
: 12945