From abf36ebac0b8b760c4e5e024a9306c4a13a3dcb6 Mon Sep 17 00:00:00 2001
From: kris <kris@FreeBSD.org>
Date: Sun, 13 Jul 2003 05:59:50 +0000
Subject: FreeBSD does not use this code, but ftpd_popen() contains a buffer
 overflow. We might as well patch it.

Submitted by:   Przemyslaw Frasunek <venglin@freebsd.lublin.pl>
PR:             bin/23352
MFC After:	The average time before an unpatched Windows 2000 server gets owned
---
 contrib/opie/popen.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

(limited to 'contrib/opie')

diff --git a/contrib/opie/popen.c b/contrib/opie/popen.c
index d5ad0f0..99aad17 100644
--- a/contrib/opie/popen.c
+++ b/contrib/opie/popen.c
@@ -23,6 +23,7 @@ License Agreement applies to this software.
 	Modified at NRL for OPIE 2.0.
 	Originally from BSD.
 
+$FreeBSD$
 */
 /*
  * Copyright (c) 1988, 1993, 1994
@@ -84,6 +85,9 @@ License Agreement applies to this software.
 
 #include "opie.h"
 
+#define MAXUSRARGS	100
+#define MAXGLOBARGS	1000
+
 char **ftpglob __P((register char *));
 char **copyblk __P((char **));
 VOIDRET blkfree __P((char **));
@@ -103,7 +107,7 @@ FILE *ftpd_popen FUNCTION((program, type), char *program AND char *type)
   char *cp;
   FILE *iop;
   int argc, gargc, pdes[2];
-  char **pop, *argv[100], *gargv[1000], *vv[2];
+  char **pop, *argv[MAXUSRARGS], *gargv[MAXGLOBARGS], *vv[2];
 
   if ((*type != 'r' && *type != 'w') || type[1])
     return (NULL);
@@ -112,13 +116,15 @@ FILE *ftpd_popen FUNCTION((program, type), char *program AND char *type)
     return (NULL);
 
   /* break up string into pieces */
-  for (argc = 0, cp = program;; cp = NULL)
+  for (argc = 0, cp = program; argc < MAXUSRARGS-1; cp = NULL) {
     if (!(argv[argc++] = strtok(cp, " \t\n")))
       break;
+  }
+  argv[argc - 1] = NULL;
 
   /* glob each piece */
   gargv[0] = argv[0];
-  for (gargc = argc = 1; argv[argc]; argc++) {
+  for (gargc = argc = 1; argv[argc] && gargc < (MAXGLOBARGS-1); argc++) {
     if (!(pop = (char **) ftpglob(argv[argc]))) {
       /* globbing failed */
       vv[0] = argv[argc];
@@ -126,7 +132,7 @@ FILE *ftpd_popen FUNCTION((program, type), char *program AND char *type)
       pop = (char **) copyblk(vv);
     }
     argv[argc] = (char *) pop;	/* save to free later */
-    while (*pop && gargc < 1000)
+    while (*pop && gargc < MAXGLOBARGS-1)
       gargv[gargc++] = *pop++;
   }
   gargv[gargc] = NULL;
-- 
cgit v1.1