diff options
| author | Gordon Tetlow <gordon@FreeBSD.org> | 2021-08-24 17:59:01 +0000 |
|---|---|---|
| committer | Gordon Tetlow <gordon@FreeBSD.org> | 2021-08-24 17:59:43 +0000 |
| commit | a75324d674f5df10f1407080a49cfe933dbb06ec (patch) | |
| tree | 080994055eaf6725e822e49b0a20dbb9ee3c9eb7 /lib/libfetch | |
| parent | 0729ba2f49c956789701aecb70f4f555181fd3a7 (diff) | |
| download | src-a75324d674f5df10f1407080a49cfe933dbb06ec.tar.gz src-a75324d674f5df10f1407080a49cfe933dbb06ec.zip | |
Fix libfetch out of bounds read.
Approved by: so
Security: SA-21:15.libfetch
Security: CVE-2021-36159
(cherry picked from commit 3be62d49ae2b6f9050f39fe74210c88f35901fa5)
Diffstat (limited to 'lib/libfetch')
| -rw-r--r-- | lib/libfetch/ftp.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/libfetch/ftp.c b/lib/libfetch/ftp.c index 9a546f3fecad..dfde6edce734 100644 --- a/lib/libfetch/ftp.c +++ b/lib/libfetch/ftp.c @@ -704,8 +704,11 @@ ftp_transfer(conn_t *conn, const char *oper, const char *file, goto ouch; } l = (e == FTP_PASSIVE_MODE ? 6 : 21); - for (i = 0; *p && i < l; i++, p++) + for (i = 0; *p && i < l; i++, p++) { addr[i] = strtol(p, &p, 10); + if (*p == '\0' && i < l - 1) + break; + } if (i < l) { e = FTP_PROTOCOL_ERROR; goto ouch; |