Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/net-ftp/netkit-ftpd/files/netkit-ftpd-0.17-CVE-2008-4247.patch
diff options
context:
space:
mode:
Diffstat (limited to 'net-ftp/netkit-ftpd/files/netkit-ftpd-0.17-CVE-2008-4247.patch')
-rw-r--r--net-ftp/netkit-ftpd/files/netkit-ftpd-0.17-CVE-2008-4247.patch108
1 files changed, 108 insertions, 0 deletions
diff --git a/net-ftp/netkit-ftpd/files/netkit-ftpd-0.17-CVE-2008-4247.patch b/net-ftp/netkit-ftpd/files/netkit-ftpd-0.17-CVE-2008-4247.patch
new file mode 100644
index 000000000000..e1b50c825bfc
--- /dev/null
+++ b/net-ftp/netkit-ftpd/files/netkit-ftpd-0.17-CVE-2008-4247.patch
@@ -0,0 +1,108 @@
+http://bugs.gentoo.org/239047
+
+--- linux-ftpd-0.17/ftpd/extern.h
++++ linux-ftpd-0.17/ftpd/extern.h
+@@ -43,7 +43,7 @@ void dologout __P((int));
+ void fatal __P((const char *));
+ int ftpd_pclose __P((FILE *));
+ FILE *ftpd_popen __P((char *, const char *));
+-char *ftpd_getline __P((char *, int, FILE *));
++int ftpd_getline __P((char *, int, FILE *));
+ void ftpdlogwtmp __P((const char *, const char *, const char *));
+ void lreply __P((int, const char *, ...));
+ void makedir __P((char *));
+--- linux-ftpd-0.17/ftpd/ftpcmd.y
++++ linux-ftpd-0.17/ftpd/ftpcmd.y
+@@ -980,7 +980,7 @@ static struct tab *lookup(struct tab *p,
+ /*
+ * getline - a hacked up version of fgets to ignore TELNET escape codes.
+ */
+-char * ftpd_getline(char *s, int n, FILE *iop)
++int ftpd_getline(char *s, int n, FILE *iop)
+ {
+ int c;
+ register char *cs;
+@@ -995,7 +995,7 @@ char * ftpd_getline(char *s, int n, FILE
+ if (debug)
+ syslog(LOG_DEBUG, "command: %s", s);
+ tmpline[0] = '\0';
+- return(s);
++ return(0);
+ }
+ if (c == 0)
+ tmpline[0] = '\0';
+@@ -1037,11 +1037,22 @@ char * ftpd_getline(char *s, int n, FILE
+ }
+ }
+ *cs++ = c;
+- if (--n <= 0 || c == '\n')
++ if (--n <= 0) {
++ /*
++ * If command doesn't fit into buffer, discard the
++ * rest of the command and indicate truncation.
++ * This prevents the command to be split up into
++ * multiple commands.
++ */
++ while (c != '\n' && (c = getc(iop)) != EOF)
++ ;
++ return (-2);
++ }
++ if (c == '\n')
+ break;
+ }
+ if (c == EOF && cs == s)
+- return (NULL);
++ return (-1);
+ *cs++ = '\0';
+ if (debug) {
+ if (!guest && strncasecmp("pass ", s, 5) == 0) {
+@@ -1061,7 +1072,7 @@ char * ftpd_getline(char *s, int n, FILE
+ syslog(LOG_DEBUG, "command: %.*s", len, s);
+ }
+ }
+- return (s);
++ return (0);
+ }
+
+ void toolong(int signo)
+@@ -1090,9 +1101,14 @@ static int yylex(void)
+ case CMD:
+ (void) signal(SIGALRM, toolong);
+ (void) alarm((unsigned) timeout);
+- if (ftpd_getline(cbuf, sizeof(cbuf)-1, stdin)==NULL) {
++ n = ftpd_getline(cbuf, sizeof(cbuf)-1, stdin);
++ if (n == -1) {
+ reply(221, "You could at least say goodbye.");
+ dologout(0);
++ } else if (n == -2) {
++ reply(500, "Command too long.");
++ alarm(0);
++ continue;
+ }
+ (void) alarm(0);
+ if ((cp = strchr(cbuf, '\r'))) {
+--- linux-ftpd-0.17/ftpd/ftpd.c
++++ linux-ftpd-0.17/ftpd/ftpd.c
+@@ -2210,6 +2210,7 @@ void dologout(int status)
+ static void myoob(int signo)
+ {
+ char *cp;
++ int ret;
+ int save_errno = errno;
+
+ (void)signo;
+@@ -2218,9 +2219,13 @@ static void myoob(int signo)
+ if (!transflag)
+ return;
+ cp = tmpline;
+- if (ftpd_getline(cp, 7, stdin) == NULL) {
++ ret = ftpd_getline(cp, 7, stdin);
++ if (ret == -1) {
+ reply(221, "You could at least say goodbye.");
+ dologout(0);
++ } else if (ret == -2) {
++ /* Ignore truncated command */
++ return;
+ }
+ upper(cp);
+ if (strcmp(cp, "ABOR\r\n") == 0) {