From 5a128d9185ebdbfaba6477a99ad2db8d96f11b15 Mon Sep 17 00:00:00 2001 From: Tobias Weingartner Date: Tue, 10 Feb 1998 02:13:11 +0000 Subject: Fix buffer overflows in quote1(), clear line buffer before use. Hopefully, this is the last of the PR# 406 stuff that this will need. --- usr.bin/ftp/cmds.c | 37 +++++++++++++++++++++++++++---------- usr.bin/ftp/ftp.c | 5 +++-- 2 files changed, 30 insertions(+), 12 deletions(-) diff --git a/usr.bin/ftp/cmds.c b/usr.bin/ftp/cmds.c index 73753b8c847..aedb310027b 100644 --- a/usr.bin/ftp/cmds.c +++ b/usr.bin/ftp/cmds.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cmds.c,v 1.25 1998/02/08 21:04:16 weingart Exp $ */ +/* $OpenBSD: cmds.c,v 1.26 1998/02/10 02:13:10 weingart Exp $ */ /* $NetBSD: cmds.c,v 1.27 1997/08/18 10:20:15 lukem Exp $ */ /* @@ -38,7 +38,7 @@ #if 0 static char sccsid[] = "@(#)cmds.c 8.6 (Berkeley) 10/9/94"; #else -static char rcsid[] = "$OpenBSD: cmds.c,v 1.25 1998/02/08 21:04:16 weingart Exp $"; +static char rcsid[] = "$OpenBSD: cmds.c,v 1.26 1998/02/10 02:13:10 weingart Exp $"; #endif #endif /* not lint */ @@ -1431,7 +1431,7 @@ site(argc, argv) code = -1; return; } - quote1("SITE ", argc, argv); + quote1("SITE", argc, argv); } /* @@ -1450,15 +1450,32 @@ quote1(initial, argc, argv) (void)strncpy(buf, initial, sizeof(buf) - 1); buf[sizeof(buf) - 1] = '\0'; if (argc > 1) { - len = strlen(buf); - len += strlen(strncpy(&buf[len], argv[1], - sizeof(buf) - len - 1)); - for (i = 2; i < argc && len < sizeof(buf); i++) { - buf[len++] = ' '; - len += strlen(strncpy(&buf[len], argv[i], - sizeof(buf) - len - 1)); + for (i = 1, len = strlen(buf); i < argc && len < sizeof(buf)-1; i++) { + + /* Sanity check */ + if (len >= sizeof(buf) - 1) + break; + + /* Space for next arg */ + if (len > 1) + buf[len++] = ' '; + + /* Sanity check */ + if (len >= sizeof(buf) - 1) + break; + + /* Copy next argument, NULL terminate always */ + strncpy(&buf[len], argv[i], sizeof(buf) - len - 1); + buf[sizeof(buf) - 1] = '\0'; + + /* Update string length */ + len = strlen(buf); } } + + /* Make double (tripple?) sure the sucker is NULL terminated */ + buf[sizeof(buf) - 1] = '\0'; + if (command(buf) == PRELIM) { while (getreply(0) == PRELIM) continue; diff --git a/usr.bin/ftp/ftp.c b/usr.bin/ftp/ftp.c index 29be2baeecf..342efadf7d0 100644 --- a/usr.bin/ftp/ftp.c +++ b/usr.bin/ftp/ftp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ftp.c,v 1.24 1997/12/17 16:03:03 millert Exp $ */ +/* $OpenBSD: ftp.c,v 1.25 1998/02/10 02:13:10 weingart Exp $ */ /* $NetBSD: ftp.c,v 1.27 1997/08/18 10:20:23 lukem Exp $ */ /* @@ -38,7 +38,7 @@ #if 0 static char sccsid[] = "@(#)ftp.c 8.6 (Berkeley) 10/27/94"; #else -static char rcsid[] = "$OpenBSD: ftp.c,v 1.24 1997/12/17 16:03:03 millert Exp $"; +static char rcsid[] = "$OpenBSD: ftp.c,v 1.25 1998/02/10 02:13:10 weingart Exp $"; #endif #endif /* not lint */ @@ -279,6 +279,7 @@ getreply(expecteof) int pflag = 0; char *cp, *pt = pasv; + memset(current_line, 0, sizeof(current_line)); oldintr = signal(SIGINT, cmdabort); for (line = 0 ;; line++) { dig = n = code = 0; -- cgit v1.2.3