- This patch fixes a one-byte buffer overflow

Changed files:
    ftpd-BSD-overflow.patch -> 1.1

diff --git a/ftpd-BSD-overflow.patch b/ftpd-BSD-overflow.patch
new file mode 100644 (file)
index 0000000..9729da6
--- /dev/null
+++ b/ftpd-BSD-overflow.patch
@@ -0,0 +1,30 @@
+--- libexec/ftpd/ftpd.c        2000/09/15 07:13:45     1.79
++++ libexec/ftpd/ftpd.c        2000/12/05 17:06:29
+@@ -1959,15 +1959,21 @@
+ replydirname(name, message)
+       const char *name, *message;
+ {
++      char *p, *ep;
+       char npath[MAXPATHLEN];
+-      int i;
+ 
+-      for (i = 0; *name != '\0' && i < sizeof(npath) - 1; i++, name++) {
+-              npath[i] = *name;
+-              if (*name == '"')
+-                      npath[++i] = '"';
++      p = npath;
++      ep = &npath[sizeof(npath) - 1];
++      while (*name) {
++              if (*name == '"' && ep - p >= 2) {
++                      *p++ = *name++;
++                      *p++ = '"';
++              } else if (ep - p >= 1)
++                      *p++ = *name++;
++              else
++                      break;
+       }
+-      npath[i] = '\0';
++      *p = '\0';
+       reply(257, "\"%s\" %s", npath, message);
+ }
+