Fix buffer overflow bug in ftpParseListing()

diff --git a/src/ftp.cc b/src/ftp.cc
index f10aefbe8025aed9316957ac3456c688c3d645b4..55851987522a61d0c9fb4808319b1fd3ee23ee39 100644 (file)
--- a/src/ftp.cc
+++ b/src/ftp.cc
@@ -1,6 +1,6 @@
 
 /*
- * $Id: ftp.cc,v 1.216 1998/03/31 05:37:40 wessels Exp $
+ * $Id: ftp.cc,v 1.217 1998/04/07 23:50:50 wessels Exp $
  *
  * DEBUG: section 9     File Transfer Protocol (FTP)
  * AUTHOR: Harvest Derived
@@ -692,6 +692,7 @@ static void
 ftpParseListing(FtpStateData * ftpState, int len)
 {
     char *buf = ftpState->data.buf;
+    char *sbuf;                /* NULL-terminated copy of buf */
     char *end;
     char *line;
     char *s;
@@ -710,10 +711,11 @@ ftpParseListing(FtpStateData * ftpState, int len)
     }
     line = memAllocate(MEM_4K_BUF);
     end++;
-    /* XXX there is an ABR bug here.   We need to make sure buf is
-     * NULL terminated */
+    /* XXX, buf needs to be NULL terminated, copying is gross */
+    sbuf = xmalloc(len+1);
+    xstrncpy(sbuf, buf, len+1);
     storeBuffer(e);
-    for (s = buf; s < end; s += strcspn(s, crlf), s += strspn(s, crlf)) {
+    for (s = sbuf; s < end; s += strcspn(s, crlf), s += strspn(s, crlf)) {
        linelen = strcspn(s, crlf) + 1;
        if (linelen > 4096)
            linelen = 4096;
@@ -737,6 +739,7 @@ ftpParseListing(FtpStateData * ftpState, int len)
        ftpState->data.offset = strlen(ftpState->data.buf);
     }
     memFree(MEM_4K_BUF, line);
+    xfree(sbuf);
 }
 
 static void