summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMoritz Jodeit <moritz@cvs.openbsd.org>2007-03-22 11:35:03 +0000
committerMoritz Jodeit <moritz@cvs.openbsd.org>2007-03-22 11:35:03 +0000
commit51e7678b67218b6f0619e3272c214b1faf0a586c (patch)
tree035485542fed6068c5dab00a94bcc76a9055e5b7
parent4c4f9229204b8b90daaaba97f4dfd487f2a850d0 (diff)
Fix buffer overflow when parsing the .netrc file.
From Nicholas Marriott. ok millert@ deraadt@
-rw-r--r--usr.bin/ftp/ruserpass.c35
1 files changed, 27 insertions, 8 deletions
diff --git a/usr.bin/ftp/ruserpass.c b/usr.bin/ftp/ruserpass.c
index 8e28a0dcaf5..8cf986b1c37 100644
--- a/usr.bin/ftp/ruserpass.c
+++ b/usr.bin/ftp/ruserpass.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ruserpass.c,v 1.20 2006/05/16 23:43:16 ray Exp $ */
+/* $OpenBSD: ruserpass.c,v 1.21 2007/03/22 11:35:02 moritz Exp $ */
/* $NetBSD: ruserpass.c,v 1.14 1997/07/20 09:46:01 lukem Exp $ */
/*
@@ -35,7 +35,7 @@
static char sccsid[] = "@(#)ruserpass.c 8.4 (Berkeley) 4/27/95";
#else
#ifndef SMALL
-static const char rcsid[] = "$OpenBSD: ruserpass.c,v 1.20 2006/05/16 23:43:16 ray Exp $";
+static const char rcsid[] = "$OpenBSD: ruserpass.c,v 1.21 2007/03/22 11:35:02 moritz Exp $";
#endif /* SMALL */
#endif
#endif /* not lint */
@@ -108,7 +108,7 @@ ruserpass(const char *host, char **aname, char **apass, char **aacct)
if ((mydomain = strchr(myname, '.')) == NULL)
mydomain = "";
next:
- while ((t = token())) switch(t) {
+ while ((t = token()) > 0) switch(t) {
case DEFAULT:
usedefault = 1;
@@ -116,7 +116,9 @@ next:
case MACH:
if (!usedefault) {
- if (token() != ID)
+ if ((t = token()) == -1)
+ goto bad;
+ if (t != ID)
continue;
/*
* Allow match either for user's input host name
@@ -142,10 +144,13 @@ next:
continue;
}
match:
- while ((t = token()) && t != MACH && t != DEFAULT) switch(t) {
+ while ((t = token()) > 0 &&
+ t != MACH && t != DEFAULT) switch(t) {
case LOGIN:
- if (token()) {
+ if ((t = token()) == -1)
+ goto bad;
+ if (t) {
if (*aname == 0)
*aname = strdup(tokval);
else {
@@ -162,7 +167,9 @@ next:
warnx("Remove password or make file unreadable by others.");
goto bad;
}
- if (token() && *apass == 0)
+ if ((t = token()) == -1)
+ goto bad;
+ if (t && *apass == 0)
*apass = strdup(tokval);
break;
case ACCOUNT:
@@ -172,7 +179,9 @@ next:
warnx("Remove account or make file unreadable by others.");
goto bad;
}
- if (token() && *aacct == 0)
+ if ((t = token()) == -1)
+ goto bad;
+ if (t && *aacct == 0)
*aacct = strdup(tokval);
break;
case MACDEF:
@@ -248,6 +257,8 @@ next:
goto done;
}
done:
+ if (t == -1)
+ goto bad;
(void)fclose(cfile);
return (0);
bad:
@@ -275,6 +286,10 @@ token(void)
if (c == '\\')
c = fgetc(cfile);
*cp++ = c;
+ if (cp == tokval + sizeof(tokval)) {
+ warnx("Token in .netrc too long");
+ return (-1);
+ }
}
} else {
*cp++ = c;
@@ -283,6 +298,10 @@ token(void)
if (c == '\\')
c = fgetc(cfile);
*cp++ = c;
+ if (cp == tokval + sizeof(tokval)) {
+ warnx("Token in .netrc too long");
+ return (-1);
+ }
}
}
*cp = 0;