fixed an invalid access to files array

this was found by Calum Hutton from Rapid7. It is a real bug, but
analysis shows it can't be leverged into an exploit. Worth fixing
though.

Many thanks to Calum and Rapid7 for finding and reporting this

diff --git a/sender.c b/sender.c
index a4d46c39e4843df5e0e42dfce845c7e0b8bb855f..b1588b7011720c9cfaa6c8af9bdf54e712f4c0bd 100644 (file)
--- a/sender.c
+++ b/sender.c
@@ -262,6 +262,8 @@ void send_files(int f_in, int f_out)
 
                if (ndx - cur_flist->ndx_start >= 0)
                        file = cur_flist->files[ndx - cur_flist->ndx_start];
 
                if (ndx - cur_flist->ndx_start >= 0)
                        file = cur_flist->files[ndx - cur_flist->ndx_start];

+               else if (cur_flist->parent_ndx < 0)
+                       exit_cleanup(RERR_PROTOCOL);

                else
                        file = dir_flist->files[cur_flist->parent_ndx];
                if (F_PATHNAME(file)) {
                else
                        file = dir_flist->files[cur_flist->parent_ndx];
                if (F_PATHNAME(file)) {