* src/ftp-basic.c (ftp_request): Remove use of alloca

2025-01-03 00:40:28 +08:00 · 2020-02-13 17:10:01 +01:00 · 2020-02-13 17:10:01 +01:00 · 89e09e59f2
commit 89e09e59f2
parent 5505aced03
1 changed files with 18 additions and 2 deletions
--- a/src/ftp-basic.c
+++ b/src/ftp-basic.c
@ -93,8 +93,11 @@ static char *
 ftp_request (const char *command, const char *value)
 {
  char *res;
+
  if (value)
    {
+      char *defanged = NULL, buf[256];
+
      /* Check for newlines in VALUE (possibly injected by the %0A URL
         escape) making the callers inadvertently send multiple FTP
         commands at once.  Without this check an attacker could
@ -103,18 +106,31 @@ ftp_request (const char *command, const char *value)
      if (strpbrk (value, "\r\n"))
        {
          /* Copy VALUE to the stack and modify CR/LF to space. */
-          char *defanged, *p;
-          STRDUP_ALLOCA (defanged, value);
+          char *p;
+          size_t len = strlen(value);
+
+          if (len < sizeof (buf))
+            defanged = buf;
+          else
+            defanged = xmalloc (len + 1);
+
+          memcpy (defanged, value, len + 1);
+
          for (p = defanged; *p; p++)
            if (*p == '\r' || *p == '\n')
              *p = ' ';
+
          DEBUGP (("\nDetected newlines in %s \"%s\"; changing to %s \"%s\"\n",
                   command, quotearg_style (escape_quoting_style, value),
                   command, quotearg_style (escape_quoting_style, defanged)));
+
          /* Make VALUE point to the defanged copy of the string. */
          value = defanged;
        }
      res = concat_strings (command, " ", value, "\r\n", (char *) 0);
+
+      if (defanged != buf)
+        xfree (defanged);
    }
  else
    res = concat_strings (command, "\r\n", (char *) 0);