[src/trunk]: src/usr.bin/ftp avoid buffer overrun on PASV from malicious server.

[itojun <itojun%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/b8a810dacbb7
branches:  trunk
changeset: 526099:b8a810dacbb7
user:      itojun <itojun%NetBSD.org@localhost>
date:      Thu Apr 25 10:55:43 2002 +0000

description:
avoid buffer overrun on PASV from malicious server.
http://online.securityfocus.com/archive/1/269356/2002-04-22/2002-04-28/0

diffstat:

 usr.bin/ftp/ftp.c |  11 ++++++-----
 1 files changed, 6 insertions(+), 5 deletions(-)

diffs (32 lines):

diff -r 49d106f33d98 -r b8a810dacbb7 usr.bin/ftp/ftp.c
--- a/usr.bin/ftp/ftp.c Thu Apr 25 09:39:17 2002 +0000
+++ b/usr.bin/ftp/ftp.c Thu Apr 25 10:55:43 2002 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ftp.c,v 1.117 2001/12/26 09:40:16 lukem Exp $  */
+/*     $NetBSD: ftp.c,v 1.118 2002/04/25 10:55:43 itojun Exp $ */
 
 /*-
  * Copyright (c) 1996-2001 The NetBSD Foundation, Inc.
@@ -103,7 +103,7 @@
 #if 0
 static char sccsid[] = "@(#)ftp.c      8.6 (Berkeley) 10/27/94";
 #else
-__RCSID("$NetBSD: ftp.c,v 1.117 2001/12/26 09:40:16 lukem Exp $");
+__RCSID("$NetBSD: ftp.c,v 1.118 2002/04/25 10:55:43 itojun Exp $");
 #endif
 #endif /* not lint */
 
@@ -486,9 +486,10 @@
                        if (dig > 4 && pflag == 1 && isdigit(c))
                                pflag = 2;
                        if (pflag == 2) {
-                               if (c != '\r' && c != ')')
-                                       *pt++ = c;
-                               else {
+                               if (c != '\r' && c != ')') {
+                                       if (pt < &pasv[sizeof(pasv) - 1])
+                                               *pt++ = c;
+                               } else {
                                        *pt = '\0';
                                        pflag = 3;
                                }