From 9dd2ccb8de204e2333b7ffab90ded9f2178d64d8 Mon Sep 17 00:00:00 2001 From: Erik Auerswald Date: Sun, 25 Sep 2022 14:39:21 +0200 Subject: [PATCH] ftp: Avoid heap buffer overflow in macro execution This fixes the problem reported by ZFeiXQ in . * NEWS: Mention fix. * ftp/domacro.c (domacro): Check buffer size before copying into buffer. Reallocate buffer of sufficient size if necessary. --- NEWS | 3 +++ ftp/domacro.c | 17 ++++++++++++++++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 0246645b..c0cf49ba 100644 --- a/NEWS +++ b/NEWS @@ -8,6 +8,9 @@ GNU inetutils NEWS -- history of user-visible changes. out-of-bounds buffer access. Reported by AiDai in . +*** Avoid crash caused by heap buffer overflow. Reported by ZFeiXQ in +. + ** telnetd *** Avoid crash on 0xff 0xf7 (IAC EC) or 0xff 0xf8 (IAC EL). CVE-2022-39028 diff --git a/ftp/domacro.c b/ftp/domacro.c index fa37becb..7b2a8910 100644 --- a/ftp/domacro.c +++ b/ftp/domacro.c @@ -266,8 +266,23 @@ domacro (int argc, char *argv[]) /* The arguments set at the time of invoking * the macro must be recovered, to be used * in parsing next line of macro definition. + * + * Executing a macro line can change "line" + * to no longer provide sufficient space for + * the saved line2 contents. */ - strcpy (line, line2); /* Known to fit. */ + if (strlen(line2) >= linelen) + { + char *tmp = realloc (line, strlen(line2) + 1); + if (tmp == NULL) + { + allocflg = 1; + goto end_exec; + } + line = tmp; + linelen = strlen(line2) + 1; + } + strcpy (line, line2); makeargv (); /* Get the arguments. */ argc = margc; argv = margv;