I include a patch below that I believe fixes this problem.
There are several flaws in the current code of the makeargv function
in ftp/main.c. It certainly errs, but not on the side of caution.
1. The 'count' variable is supposed to count the number of arguments on
the command line. In fact it counts the number of arguments less one, so
malloc is often called with an argument of zero.
2. The argument to malloc is completely wrong. Space needs to be
reserved for a certain number of pointers; the length of the command
line string is irrelevant.
3. The slurpstring parsing function accepts both space and tab as
delimiters. The 'count' variable is calculated assuming spaces only.
4. It appears to me that the memory allocated for rargv is never freed,
leading to a memory leak. I may be wrong about this, and I do not know
the code well enough to suggest where the free should take place if it
does not happen already. My patch does not address this.
It is possible that this patch also fixes 505533.
Attempting to count parameters in advance is not the best solution in
my opinion. It is duplicating part of the effort of slurpstring.
My preference would have been to allocate memory for 20 pointers, as in
the original code, then realloc() for a larger size if more than 20
parameters are returned from slurpstring.
diff -Naur netkit-ftp-0.17/ftp/main.c netkit-ftp-0.17.patch/ftp/main.c
--- netkit-ftp-0.17/ftp/main.c 2008-12-14 19:32:55.000000000 +0000
+++ netkit-ftp-0.17.patch/ftp/main.c 2008-12-14 20:21:30.000000000 +0000
@@ -486,13 +486,16 @@
/* Allocate enough space: err on the side of caution */
while ( line[i] != '\0' ) {
- if ( line[i] == ' ' )
+ if ( line[i] == ' ' || line[i] == '\t' )
count += 1 ;
- i+= 1;
+ i += 1;
}
- /* allocate memory for $count-sized array of chars */
- rargv = (char **) malloc( count * strlen(line));
+ /* count contains the number of arguments after the first.
+ * Allocate space for (count+3) pointers to arguments. We need
+ * (count+1) for the actual arguments, plus one for the NULL
+ * terminator, plus one in case of a leading ! or $ argument. */
+ rargv = malloc((count+3) * sizeof(char*));
if (rargv == NULL)
fatal("Out of memory");
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
