diff options
| author | Gordon Tetlow <gordon@FreeBSD.org> | 2021-08-24 18:02:42 +0000 |
|---|---|---|
| committer | Gordon Tetlow <gordon@FreeBSD.org> | 2021-08-24 18:02:42 +0000 |
| commit | fab38dac650664eb614ab28ff2535d97bec21e89 (patch) | |
| tree | 5627d3f79433683b931b291582354478b89a85b5 | |
| parent | 8fe0dbe59a7fdf65997de99f60fc4f385408b14a (diff) | |
| download | src-fab38dac650664eb614ab28ff2535d97bec21e89.tar.gz src-fab38dac650664eb614ab28ff2535d97bec21e89.zip | |
Fix libfetch out of bounds read.
Approved by: so
Security: SA-21:15.libfetch
Security: CVE-2021-36159
| -rw-r--r-- | lib/libfetch/ftp.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/libfetch/ftp.c b/lib/libfetch/ftp.c index c034b5efa240..1755012fc99b 100644 --- a/lib/libfetch/ftp.c +++ b/lib/libfetch/ftp.c @@ -702,8 +702,11 @@ ftp_transfer(conn_t *conn, const char *oper, const char *file, goto ouch; } l = (e == FTP_PASSIVE_MODE ? 6 : 21); - for (i = 0; *p && i < l; i++, p++) + for (i = 0; *p && i < l; i++, p++) { addr[i] = strtol(p, &p, 10); + if (*p == '\0' && i < l - 1) + break; + } if (i < l) { e = FTP_PROTOCOL_ERROR; goto ouch; |