+Fri Feb 6 13:25:28 1998 Theodore Y. Ts'o <tytso@mit.edu>
+
+ * popen.c (ftpd_popen): Make sure you can't overrun the argv[] and
+ gargv[] arrays. (Patch submitted by dima@best.net).
+
Thu Jan 29 19:51:02 1998 Dan Winship <danw@mit.edu>
* ftpd.c (auth_data): Accept forwarded credentials and dispose of
static int *pids;
static int fds;
+#define MAX_ARGV 100
+#define MAX_GARGV 1000
FILE *
ftpd_popen(program, type)
register char *cp;
FILE *iop;
int argc, gargc, pdes[2], pid;
- char **pop, *argv[100], *gargv[1000], *vv[2];
+ char **pop, *argv[MAX_ARGV], *gargv[MAX_GARGV], *vv[2];
extern char **ftpglob(), **copyblk();
if (*type != 'r' && *type != 'w' || type[1])
return(NULL);
/* break up string into pieces */
- for (argc = 0, cp = program;; cp = NULL)
+ for (argc = 0, cp = program; argc < MAX_ARGV - 1; cp = NULL)
if (!(argv[argc++] = strtok(cp, " \t\n")))
break;
- for (argc = 0; argv[argc]; argc++) argv[argc] = strdup(argv[argc]);
+ argv[MAX_ARGV-1] = NULL;
+ for (argc = 0; argv[argc]; argc++)
+ argv[argc] = strdup(argv[argc]);
/* glob each piece */
gargv[0] = argv[0];
pop = copyblk(vv);
}
argv[argc] = (char *)pop; /* save to free later */
- while (*pop && gargc < 1000)
+ while (*pop && gargc < MAX_GARGV)
gargv[gargc++] = *pop++;
}
gargv[gargc] = NULL;