Deny the SIZE command on large files when in ASCII mode.

This eliminates an opportunity for DoS attack.

Pointed out by:	maxim
Inspired by:	lukemftpd, OpenBSD
MFC after:	2 weeks
This commit is contained in:
yar 2002-07-31 10:55:31 +00:00
parent d4e8ab46e4
commit 919470cf7d

View File

@ -1068,6 +1068,8 @@ check_login_ro
#define MAXGLOBARGS 1000
#define MAXASIZE 10240 /* Deny ASCII SIZE on files larger than that */
struct tab {
char *name;
short token;
@ -1589,6 +1591,10 @@ sizecmd(char *filename)
reply(550, "%s: not a plain file.", filename);
(void) fclose(fin);
return;
} else if (stbuf.st_size > MAXASIZE) {
reply(550, "%s: too large for type A SIZE.", filename);
(void) fclose(fin);
return;
}
count = 0;