[ftp] Fix buffer overflow in token parsing

Tue Oct 30 07:38:18 UTC 2012

commit 5f38f714ec5db512cd4d944d5958586729756357
Author: Jan Synacek <jsynacek at redhat.com>
Date:   Tue Oct 30 08:37:31 2012 +0100

    Fix buffer overflow in token parsing
    
    Resolves: #871296

 ftp.spec                    |    8 ++++-
 netkit-ftp-0.17-token.patch |   75 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 82 insertions(+), 1 deletions(-)
---

diff --git a/ftp.spec b/ftp.spec
index cbdd8df..32a3b1d 100644
--- a/ftp.spec
+++ b/ftp.spec
@@ -1,7 +1,7 @@
 Summary: The standard UNIX FTP (File Transfer Protocol) client
 Name: ftp
 Version: 0.17
-Release: 62%{?dist}
+Release: 63%{?dist}
 License: BSD with advertising
 Group: Applications/Internet
 Source0: ftp://ftp.linux.org.uk/pub/linux/Networking/netkit/netkit-ftp-%{version}.tar.gz
@@ -39,6 +39,7 @@ Patch30: netkit-ftp-0.17-active-mode-option.patch
 Patch31: netkit-ftp-0.17-commands-leaks.patch
 Patch32: netkit-ftp-0.17-lsn-timeout.patch
 Patch33: netkit-ftp-0.17-getlogin.patch
+Patch34: netkit-ftp-0.17-token.patch
 
 BuildRequires: glibc-devel, readline-devel, ncurses-devel
 
@@ -85,6 +86,7 @@ file transfers.
 %patch31 -p1 -b .cmds-leaks
 %patch32 -p1 -b .lsn-timeout
 %patch33 -p1 -b .getlogin
+%patch34 -p1 -b .token
 
 %build
 sh configure --with-c-compiler=gcc --enable-ipv6
@@ -113,6 +115,10 @@ make INSTALLROOT=${RPM_BUILD_ROOT} install
 %{_mandir}/man5/netrc.*
 
 %changelog
+* Tue Oct 30 2012 Jan Synáček <jsynacek at redhat.com> - 0.17-63
+- Fix buffer overflow in token parsing
+- Resolves: #871296
+
 * Tue Oct 30 2012 Jan Synáček <jsynacek at redhat.com> - 0.17-62
 - Fix linelen patch
 - Resolves: #871290
diff --git a/netkit-ftp-0.17-token.patch b/netkit-ftp-0.17-token.patch
new file mode 100644
index 0000000..d888300
--- /dev/null
+++ b/netkit-ftp-0.17-token.patch
@@ -0,0 +1,75 @@
+diff -rup netkit-ftp-0.17/ftp/ruserpass.c netkit-ftp-0.17-new/ftp/ruserpass.c
+--- netkit-ftp-0.17/ftp/ruserpass.c	2012-10-29 15:11:10.593841089 +0100
++++ netkit-ftp-0.17-new/ftp/ruserpass.c	2012-10-29 15:13:14.379822697 +0100
+@@ -58,7 +58,8 @@ static int token(void);
+ #define	ID	10
+ #define	MACH	11
+ 
+-static char tokval[100];
++#define MAXTOKENLEN 4096
++static char tokval[MAXTOKENLEN];
+ 
+ static struct toktab {
+ 	const char *tokstr;
+@@ -249,13 +250,16 @@ bad:
+ 	return(-1);
+ }
+ 
+-static 
++static
+ int
+ token(void)
+ {
+ 	char *cp;
+ 	int c;
+ 	struct toktab *t;
++	size_t toklen = 0;
++	int showwarn = 1;
++	int quote = 0;
+ 
+ 	if (feof(cfile))
+ 		return (0);
+@@ -266,20 +270,32 @@ token(void)
+ 		return (0);
+ 	cp = tokval;
+ 	if (c == '"') {
+-		while ((c = getc(cfile)) != EOF && c != '"') {
+-			if (c == '\\')
+-				c = getc(cfile);
+-			*cp++ = c;
+-		}
+-	} else {
++		quote = 1;
++	}
++	else {
+ 		*cp++ = c;
+-		while ((c = getc(cfile)) != EOF
+-		    && c != '\n' && c != '\t' && c != ' ' && c != ',') {
+-			if (c == '\\')
+-				c = getc(cfile);
+-			*cp++ = c;
++		toklen++;
++	}
++	while ((c = getc(cfile)) != EOF) {
++		if (c == '"')
++			break;
++		if (c == '\\')
++			c = getc(cfile);
++		if (!quote && (c == '\n' || c == '\t' || c == ' ' || c == ','))
++			break;
++		if (toklen >= MAXTOKENLEN) {
++			if (showwarn) {
++				fprintf(stderr,
++						"Warning: .netrc token too long, will be trunctated to %zd characters\n",
++						toklen);
++				showwarn = 0;
++			}
++			continue;
+ 		}
++		*cp++ = c;
++		toklen++;
+ 	}
++
+ 	*cp = 0;
+ 	if (tokval[0] == 0)
+ 		return (0);
