From 4d1e24e832d95318066f653e8eedfffc40536be4 Mon Sep 17 00:00:00 2001
From: Jun-ichiro itojun Hagino <itojun@cvs.openbsd.org>
Date: Thu, 25 Apr 2002 10:58:06 +0000
Subject: avoid buffer overrun on PASV from malicious server.
 http://online.securityfocus.com/archive/1/269356/2002-04-22/2002-04-28/0

---
 usr.bin/ftp/ftp.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

(limited to 'usr.bin/ftp')

diff --git a/usr.bin/ftp/ftp.c b/usr.bin/ftp/ftp.c
index 14c2866b599..24990c955aa 100644
--- a/usr.bin/ftp/ftp.c
+++ b/usr.bin/ftp/ftp.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ftp.c,v 1.43 2002/02/19 19:39:38 millert Exp $	*/
+/*	$OpenBSD: ftp.c,v 1.44 2002/04/25 10:58:05 itojun Exp $	*/
 /*	$NetBSD: ftp.c,v 1.27 1997/08/18 10:20:23 lukem Exp $	*/
 
 /*
@@ -67,7 +67,7 @@
 #if 0
 static char sccsid[] = "@(#)ftp.c	8.6 (Berkeley) 10/27/94";
 #else
-static char rcsid[] = "$OpenBSD: ftp.c,v 1.43 2002/02/19 19:39:38 millert Exp $";
+static char rcsid[] = "$OpenBSD: ftp.c,v 1.44 2002/04/25 10:58:05 itojun Exp $";
 #endif
 #endif /* not lint */
 
@@ -400,9 +400,10 @@ getreply(expecteof)
 			if (dig > 4 && pflag == 1 && isdigit(c))
 				pflag = 2;
 			if (pflag == 2) {
-				if (c != '\r' && c != ')')
-					*pt++ = c;
-				else {
+				if (c != '\r' && c != ')') {
+					if (pt < &pasv[sizeof(pasv) - 1])
+						*pt++ = c;
+				} else {
 					*pt = '\0';
 					pflag = 3;
 				}
-- 
cgit v1.2.3