FreeBSD-SA-04:16.fetch:releng/5.0

MFC revision 1.75 of src/usr.bin/fetch/fetch.c
Bump newvers.sh and document in UPDATING.

Approved by:	so

3 files changed, 7 insertions, 2 deletions

diff --git a/UPDATING b/UPDATING
index 0b3756641057..4ef04d0ab06e 100644
--- a/UPDATING
+++ b/UPDATING
@@ -17,6 +17,10 @@ minimal number of processes, if possible, for that patch.  For those
 updates that don't have an advisory, or to be safe, you can do a full
 build and install as described in the COMMON ITEMS section.
 
+20041118:	p22	FreeBSD-SA-04:16.fetch
+	Correct a buffer overflow in fetch(1) which could allow a
+	mallicious server to execute arbitrary code on the client.
+
 20040519:       p21	FreeBSD-SA-04:10.cvs
 	Correct a heap overflow in cvs's pserver protocol parser.
 
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index a3a0c78caf63..10d255a6a97a 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -36,7 +36,7 @@
 
 TYPE="FreeBSD"
 REVISION="5.0"
-BRANCH="RELEASE-p21"
+BRANCH="RELEASE-p22"
 RELEASE="${REVISION}-${BRANCH}"
 VERSION="${TYPE} ${RELEASE}"
 
diff --git a/usr.bin/fetch/fetch.c b/usr.bin/fetch/fetch.c
index 63cd73308c50..fadea0ff25c3 100644
--- a/usr.bin/fetch/fetch.c
+++ b/usr.bin/fetch/fetch.c
@@ -534,7 +534,8 @@ fetch(char *URL, const char *path)
 	/* suck in the data */
 	signal(SIGINFO, sig_handler);
 	while (!sigint) {
-		if (us.size != -1 && us.size - count < B_size)
+		if (us.size != -1 && us.size - count < B_size &&
+		    us.size - count >= 0)
 			size = us.size - count;
 		else
 			size = B_size;