File gftp-fsplib.patch of Package gftp

Overview Repositories Revisions Requests Users Attributes Meta

File gftp-fsplib.patch of Package gftp

CVE-2007-3961 CVE-2007-3962
================================================================================
--- lib/fsplib/fsplib.c
+++ lib/fsplib/fsplib.c
@@ -612,7 +612,7 @@
     entry->d_reclen = fentry.reclen;
     strncpy(entry->d_name,fentry.name,MAXNAMLEN);
 
-    if (fentry.namlen > MAXNAMLEN)
+    if (fentry.namlen >= MAXNAMLEN)
     {
 	entry->d_name[MAXNAMLEN] = '\0';
 #ifdef HAVE_NAMLEN
@@ -681,7 +681,7 @@
        dir->dirpos += 9;
        /* read file name */
        entry->name[255] = '\0';
-       strncpy(entry->name,(char *)( dir->data + dir->dirpos ),MAXNAMLEN);
+       strncpy(entry->name,(char *)( dir->data + dir->dirpos ),255);
        namelen = strlen( (char *) dir->data+dir->dirpos);
        /* skip over file name */
        dir->dirpos += namelen +1;
@@ -709,12 +709,12 @@
 
 struct dirent * fsp_readdir(FSP_DIR *dirp)
 {
-    static struct dirent entry;
+    static dirent_workaround entry;
     struct dirent *result;
     
     
     if (dirp == NULL) return NULL;
-    if ( fsp_readdir_r(dirp,&entry,&result) )
+    if ( fsp_readdir_r(dirp,&entry.dirent,&result) )
         return NULL;
     else
         return result;
--- lib/fsplib/fsplib.h
+++ lib/fsplib/fsplib.h
@@ -1,6 +1,7 @@
 #ifndef _FSPLIB_H
 #define _FSPLIB_H 1
 #include <time.h>
+#include <stddef.h>
 /* The FSP v2 protocol support library - public interface */
 
 /*
@@ -138,6 +139,12 @@
 		      unsigned int pos;          /* position of next packet */
 } FSP_FILE;
 
+
+typedef union dirent_workaround {
+      struct dirent dirent;
+      char fill[offsetof (struct dirent, d_name) + MAXNAMLEN + 1];
+} dirent_workaround;
+ 
 /* function prototypes */
 
 /* session management */

Places

File gftp-fsplib.patch of Package gftp

Places