From 5ff2c5ff25750aba1a8f64fbcad8e5b891512584 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 25 Sep 2017 00:35:22 +0200
Subject: FTP: zero terminate the entry path even on bad input

... a single double quote could leave the entry path buffer without a zero
terminating byte. CVE-2017-1000254

Test 1152 added to verify.

Reported-by: Max Dymond
Bug: https://curl.haxx.se/docs/adv_20171004.html
---
 lib/ftp.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'lib/ftp.c')

diff --git a/lib/ftp.c b/lib/ftp.c
index 4860509f3..54ba4057f 100644
--- a/lib/ftp.c
+++ b/lib/ftp.c
@@ -2779,6 +2779,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
         const size_t buf_size = data->set.buffer_size;
         char *dir;
         char *store;
+        bool entry_extracted = FALSE;
 
         dir = malloc(nread + 1);
         if(!dir)
@@ -2810,7 +2811,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
               }
               else {
                 /* end of path */
-                *store = '\0'; /* zero terminate */
+                entry_extracted = TRUE;
                 break; /* get out of this loop */
               }
             }
@@ -2819,7 +2820,9 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
             store++;
             ptr++;
           }
-
+          *store = '\0'; /* zero terminate */
+        }
+        if(entry_extracted) {
           /* If the path name does not look like an absolute path (i.e.: it
              does not start with a '/'), we probably need some server-dependent
              adjustments. For example, this is the case when connecting to
-- 
cgit v1.2.1