Synopsis: one-byte overrun in replydirname() in ftpd
NetBSD versions: 1.4.3 and earlier
See also: 20001220-ftpd-1.5
Thanks to: Kristian Vlaardingerbroek <kris@obit.nl>,
	Jun-ichiro itojun Hagino <itojun@iijlab.net>

Index: libexec/ftpd/ftpd.c
===================================================================
RCS file: /cvsroot/basesrc/libexec/ftpd/ftpd.c,v
retrieving revision 1.61.2.3
retrieving revision 1.61.2.4
diff -u -u -r1.61.2.3 -r1.61.2.4
--- libexec/ftpd/ftpd.c	2000/07/08 18:58:10	1.61.2.3
+++ libexec/ftpd/ftpd.c	2000/12/14 22:33:47	1.61.2.4
@@ -105,7 +105,7 @@
 #define FALSE	0
 #endif
 
-const char version[] = "Version: 7.1.0";
+const char version[] = "Version: 7.1.0a";
 
 struct	sockaddr_in ctrl_addr;
 struct	sockaddr_in data_source;
@@ -1418,15 +1418,21 @@
 replydirname(name, message)
 	const char *name, *message;
 {
-	char npath[MAXPATHLEN + 1];
-	int i;
+	char *p, *ep;
+	char npath[MAXPATHLEN];
 
-	for (i = 0; *name != '\0' && i < sizeof(npath) - 1; i++, name++) {
-		npath[i] = *name;
-		if (*name == '"')
-			npath[++i] = '"';
+	p = npath;
+	ep = &npath[sizeof(npath) - 1];
+	while (*name) {
+		if (*name == '"' && ep - p >= 2) {
+			*p++ = *name++;
+			*p++ = '"';
+		} else if (ep - p >= 1)
+			*p++ = *name++;
+		else
+			break;
 	}
-	npath[i] = '\0';
+	*p = '\0';
 	reply(257, "\"%s\" %s", npath, message);
 }