Fix buffer overflow in token parsing

Resolves: #871296
2012-10-30 08:37:31 +01:00 · 2012-10-30 08:37:31 +01:00 · 5f38f714ec
commit 5f38f714ec
parent 445d297f37
2 changed files with 82 additions and 1 deletions
--- a/ftp.spec
+++ b/ftp.spec
@ -1,7 +1,7 @@
 Summary: The standard UNIX FTP (File Transfer Protocol) client
 Name: ftp
 Version: 0.17
-Release: 62%{?dist}
+Release: 63%{?dist}
 License: BSD with advertising
 Group: Applications/Internet
 Source0: ftp://ftp.linux.org.uk/pub/linux/Networking/netkit/netkit-ftp-%{version}.tar.gz
@ -39,6 +39,7 @@ Patch30: netkit-ftp-0.17-active-mode-option.patch
 Patch31: netkit-ftp-0.17-commands-leaks.patch
 Patch32: netkit-ftp-0.17-lsn-timeout.patch
 Patch33: netkit-ftp-0.17-getlogin.patch
+Patch34: netkit-ftp-0.17-token.patch

 BuildRequires: glibc-devel, readline-devel, ncurses-devel

@ -85,6 +86,7 @@ file transfers.
 %patch31 -p1 -b .cmds-leaks
 %patch32 -p1 -b .lsn-timeout
 %patch33 -p1 -b .getlogin
+%patch34 -p1 -b .token

 %build
 sh configure --with-c-compiler=gcc --enable-ipv6
@ -113,6 +115,10 @@ make INSTALLROOT=${RPM_BUILD_ROOT} install
 %{_mandir}/man5/netrc.*

 %changelog
+* Tue Oct 30 2012 Jan Synáček <jsynacek@redhat.com> - 0.17-63
+- Fix buffer overflow in token parsing
+- Resolves: #871296
+
 * Tue Oct 30 2012 Jan Synáček <jsynacek@redhat.com> - 0.17-62
 - Fix linelen patch
 - Resolves: #871290
--- a/netkit-ftp-0.17-token.patch
+++ b/netkit-ftp-0.17-token.patch
@ -0,0 +1,75 @@
+diff -rup netkit-ftp-0.17/ftp/ruserpass.c netkit-ftp-0.17-new/ftp/ruserpass.c
+--- netkit-ftp-0.17/ftp/ruserpass.c	2012-10-29 15:11:10.593841089 +0100
+++ netkit-ftp-0.17-new/ftp/ruserpass.c	2012-10-29 15:13:14.379822697 +0100
+@@ -58,7 +58,8 @@ static int token(void);
+ #define	ID	10
+ #define	MACH	11
+ 
+-static char tokval[100];
+#define MAXTOKENLEN 4096
+static char tokval[MAXTOKENLEN];
+ 
+ static struct toktab {
+ 	const char *tokstr;
+@@ -249,13 +250,16 @@ bad:
+ 	return(-1);
+ }
+ 
+-static 
+static
+ int
+ token(void)
+ {
+ 	char *cp;
+ 	int c;
+ 	struct toktab *t;
+	size_t toklen = 0;
+	int showwarn = 1;
+	int quote = 0;
+ 
+ 	if (feof(cfile))
+ 		return (0);
+@@ -266,20 +270,32 @@ token(void)
+ 		return (0);
+ 	cp = tokval;
+ 	if (c == '"') {
+-		while ((c = getc(cfile)) != EOF && c != '"') {
+-			if (c == '\\')
+-				c = getc(cfile);
+-			*cp++ = c;
+-		}
+-	} else {
+		quote = 1;
+	}
+	else {
+ 		*cp++ = c;
+-		while ((c = getc(cfile)) != EOF
+-		    && c != '\n' && c != '\t' && c != ' ' && c != ',') {
+-			if (c == '\\')
+-				c = getc(cfile);
+-			*cp++ = c;
+		toklen++;
+	}
+	while ((c = getc(cfile)) != EOF) {
+		if (c == '"')
+			break;
+		if (c == '\\')
+			c = getc(cfile);
+		if (!quote && (c == '\n' || c == '\t' || c == ' ' || c == ','))
+			break;
+		if (toklen >= MAXTOKENLEN) {
+			if (showwarn) {
+				fprintf(stderr,
+						"Warning: .netrc token too long, will be trunctated to %zd characters\n",
+						toklen);
+				showwarn = 0;
+			}
+			continue;
+ 		}
+		*cp++ = c;
+		toklen++;
+ 	}
+
+ 	*cp = 0;
+ 	if (tokval[0] == 0)
+ 		return (0);