ftp: Avoid heap buffer overflow in macro execution

This fixes the problem reported by ZFeiXQ in <https://lists.gnu.org/archive/html/bug-inetutils/2021-12/msg00016.html>. * NEWS: Mention fix. * ftp/domacro.c (domacro): Check buffer size before copying into buffer. Reallocate buffer of sufficient size if necessary.
2026-01-12 00:19:39 +08:00 · 2022-09-25 14:39:21 +02:00
parent 3fc5c07144
commit 9dd2ccb8de
2 changed files with 19 additions and 1 deletions
--- a/3
+++ b/3
@@ -8,6 +8,9 @@ GNU inetutils NEWS -- history of user-visible changes.
 out-of-bounds buffer access.  Reported by AiDai in
 <https://lists.gnu.org/archive/html/bug-inetutils/2021-12/msg00003.html>.

+*** Avoid crash caused by heap buffer overflow.  Reported by ZFeiXQ in
+<https://lists.gnu.org/archive/html/bug-inetutils/2021-12/msg00016.html>.
+
 ** telnetd

 *** Avoid crash on 0xff 0xf7 (IAC EC) or 0xff 0xf8 (IAC EL).  CVE-2022-39028
--- a/ftp/domacro.c
+++ b/ftp/domacro.c
@@ -266,8 +266,23 @@ domacro (int argc, char *argv[])
 	      /* The arguments set at the time of invoking
 	       * the macro must be recovered, to be used
 	       * in parsing next line of macro definition.
+	       *
+	       * Executing a macro line can change "line"
+	       * to no longer provide sufficient space for
+	       * the saved line2 contents.
 	       */
-	      strcpy (line, line2);	/* Known to fit.  */
+	      if (strlen(line2) >= linelen)
+		{
+		  char *tmp = realloc (line, strlen(line2) + 1);
+		  if (tmp == NULL)
+		    {
+		      allocflg = 1;
+		      goto end_exec;
+		    }
+		  line = tmp;
+		  linelen = strlen(line2) + 1;
+		}
+	      strcpy (line, line2);
 	      makeargv ();		/* Get the arguments.  */
 	      argc = margc;
 	      argv = margv;