[ftp] Fix buffer overflow in token parsing
jsynacek
jsynacek at fedoraproject.org
Tue Oct 30 07:38:18 UTC 2012
commit 5f38f714ec5db512cd4d944d5958586729756357
Author: Jan Synacek <jsynacek at redhat.com>
Date: Tue Oct 30 08:37:31 2012 +0100
Fix buffer overflow in token parsing
Resolves: #871296
ftp.spec | 8 ++++-
netkit-ftp-0.17-token.patch | 75 +++++++++++++++++++++++++++++++++++++++++++
2 files changed, 82 insertions(+), 1 deletions(-)
---
diff --git a/ftp.spec b/ftp.spec
index cbdd8df..32a3b1d 100644
--- a/ftp.spec
+++ b/ftp.spec
@@ -1,7 +1,7 @@
Summary: The standard UNIX FTP (File Transfer Protocol) client
Name: ftp
Version: 0.17
-Release: 62%{?dist}
+Release: 63%{?dist}
License: BSD with advertising
Group: Applications/Internet
Source0: ftp://ftp.linux.org.uk/pub/linux/Networking/netkit/netkit-ftp-%{version}.tar.gz
@@ -39,6 +39,7 @@ Patch30: netkit-ftp-0.17-active-mode-option.patch
Patch31: netkit-ftp-0.17-commands-leaks.patch
Patch32: netkit-ftp-0.17-lsn-timeout.patch
Patch33: netkit-ftp-0.17-getlogin.patch
+Patch34: netkit-ftp-0.17-token.patch
BuildRequires: glibc-devel, readline-devel, ncurses-devel
@@ -85,6 +86,7 @@ file transfers.
%patch31 -p1 -b .cmds-leaks
%patch32 -p1 -b .lsn-timeout
%patch33 -p1 -b .getlogin
+%patch34 -p1 -b .token
%build
sh configure --with-c-compiler=gcc --enable-ipv6
@@ -113,6 +115,10 @@ make INSTALLROOT=${RPM_BUILD_ROOT} install
%{_mandir}/man5/netrc.*
%changelog
+* Tue Oct 30 2012 Jan Synáček <jsynacek at redhat.com> - 0.17-63
+- Fix buffer overflow in token parsing
+- Resolves: #871296
+
* Tue Oct 30 2012 Jan Synáček <jsynacek at redhat.com> - 0.17-62
- Fix linelen patch
- Resolves: #871290
diff --git a/netkit-ftp-0.17-token.patch b/netkit-ftp-0.17-token.patch
new file mode 100644
index 0000000..d888300
--- /dev/null
+++ b/netkit-ftp-0.17-token.patch
@@ -0,0 +1,75 @@
+diff -rup netkit-ftp-0.17/ftp/ruserpass.c netkit-ftp-0.17-new/ftp/ruserpass.c
+--- netkit-ftp-0.17/ftp/ruserpass.c 2012-10-29 15:11:10.593841089 +0100
++++ netkit-ftp-0.17-new/ftp/ruserpass.c 2012-10-29 15:13:14.379822697 +0100
+@@ -58,7 +58,8 @@ static int token(void);
+ #define ID 10
+ #define MACH 11
+
+-static char tokval[100];
++#define MAXTOKENLEN 4096
++static char tokval[MAXTOKENLEN];
+
+ static struct toktab {
+ const char *tokstr;
+@@ -249,13 +250,16 @@ bad:
+ return(-1);
+ }
+
+-static
++static
+ int
+ token(void)
+ {
+ char *cp;
+ int c;
+ struct toktab *t;
++ size_t toklen = 0;
++ int showwarn = 1;
++ int quote = 0;
+
+ if (feof(cfile))
+ return (0);
+@@ -266,20 +270,32 @@ token(void)
+ return (0);
+ cp = tokval;
+ if (c == '"') {
+- while ((c = getc(cfile)) != EOF && c != '"') {
+- if (c == '\\')
+- c = getc(cfile);
+- *cp++ = c;
+- }
+- } else {
++ quote = 1;
++ }
++ else {
+ *cp++ = c;
+- while ((c = getc(cfile)) != EOF
+- && c != '\n' && c != '\t' && c != ' ' && c != ',') {
+- if (c == '\\')
+- c = getc(cfile);
+- *cp++ = c;
++ toklen++;
++ }
++ while ((c = getc(cfile)) != EOF) {
++ if (c == '"')
++ break;
++ if (c == '\\')
++ c = getc(cfile);
++ if (!quote && (c == '\n' || c == '\t' || c == ' ' || c == ','))
++ break;
++ if (toklen >= MAXTOKENLEN) {
++ if (showwarn) {
++ fprintf(stderr,
++ "Warning: .netrc token too long, will be trunctated to %zd characters\n",
++ toklen);
++ showwarn = 0;
++ }
++ continue;
+ }
++ *cp++ = c;
++ toklen++;
+ }
++
+ *cp = 0;
+ if (tokval[0] == 0)
+ return (0);
More information about the scm-commits
mailing list