2 files changed, 13 insertions, 4 deletions

diff --git a/src/appl/gssftp/ftpd/ChangeLog b/src/appl/gssftp/ftpd/ChangeLog
index 50256487f8..18377bb55b 100644
--- a/src/appl/gssftp/ftpd/ChangeLog
+++ b/src/appl/gssftp/ftpd/ChangeLog
@@ -1,3 +1,8 @@
+Fri Feb  6 13:25:28 1998  Theodore Y. Ts'o  <tytso@mit.edu>
+
+	* popen.c (ftpd_popen): Make sure you can't overrun the argv[] and
+		gargv[] arrays.  (Patch submitted by dima@best.net).
+
 Thu Jan 29 19:51:02 1998  Dan Winship  <danw@mit.edu>
 
 	* ftpd.c (auth_data): Accept forwarded credentials and dispose of
diff --git a/src/appl/gssftp/ftpd/popen.c b/src/appl/gssftp/ftpd/popen.c
index 89f29a2069..ffafe05296 100644
--- a/src/appl/gssftp/ftpd/popen.c
+++ b/src/appl/gssftp/ftpd/popen.c
@@ -58,6 +58,8 @@ static char sccsid[] = "@(#)popen.c	5.9 (Berkeley) 2/25/91";
 static int *pids;
 static int fds;
 
+#define MAX_ARGV	100
+#define MAX_GARGV	1000
 
 FILE *
 ftpd_popen(program, type)
@@ -66,7 +68,7 @@ ftpd_popen(program, type)
 	register char *cp;
 	FILE *iop;
 	int argc, gargc, pdes[2], pid;
-	char **pop, *argv[100], *gargv[1000], *vv[2];
+	char **pop, *argv[MAX_ARGV], *gargv[MAX_GARGV], *vv[2];
 	extern char **ftpglob(), **copyblk();
 
 	if (*type != 'r' && *type != 'w' || type[1])
@@ -83,10 +85,12 @@ ftpd_popen(program, type)
 		return(NULL);
 
 	/* break up string into pieces */
-	for (argc = 0, cp = program;; cp = NULL)
+	for (argc = 0, cp = program; argc < MAX_ARGV - 1; cp = NULL)
 		if (!(argv[argc++] = strtok(cp, " \t\n")))
 			break;
-	for (argc = 0; argv[argc]; argc++) argv[argc] = strdup(argv[argc]);
+	argv[MAX_ARGV-1] = NULL;
+	for (argc = 0; argv[argc]; argc++)
+		argv[argc] = strdup(argv[argc]);
 
 	/* glob each piece */
 	gargv[0] = argv[0];
@@ -97,7 +101,7 @@ ftpd_popen(program, type)
 			pop = copyblk(vv);
 		}
 		argv[argc] = (char *)pop;		/* save to free later */
-		while (*pop && gargc < 1000)
+		while (*pop && gargc < MAX_GARGV)
 			gargv[gargc++] = *pop++;
 	}
 	gargv[gargc] = NULL;