Index: contrib/mod_sftp/fxp.c
===================================================================
RCS file: /cvsroot/proftp/proftpd/contrib/mod_sftp/fxp.c,v
retrieving revision 1.139
diff -u -r1.139 fxp.c
--- contrib/mod_sftp/fxp.c 15 Feb 2012 22:10:56 -0000 1.139
+++ contrib/mod_sftp/fxp.c 15 Feb 2012 22:30:19 -0000
@@ -2511,7 +2511,18 @@
fxp_packet_data_allocsz += sz;
}
- memcpy(curr_buf, data, datalen);
+ /* We explicitly want to use memmove(3) here rather than memcpy(3),
+ * since it is possible (and likely) that after reading data out
+ * of this buffer, there will be leftover data which is put back into
+ * the buffer, only at a different offset. This means that the
+ * source and destination pointers CAN overlap; using memcpy(3) would
+ * lead to subtle memory copy issue (e.g. Bug#3743).
+ *
+ * This manifested as hard-to-reproduce SFTP upload/download stalls,
+ * segfaults, etc, due to corrupted memory being read out as
+ * packet lengths and such.
+ */
+ memmove(curr_buf, data, datalen);
curr_buflen = datalen;
return;
@@ -2556,8 +2567,18 @@
}
}
- /* Append the SSH2 data to the current unconsumed buffer. */
- memcpy(curr_buf + curr_buflen, data, datalen);
+ /* We explicitly want to use memmove(3) here rather than memcpy(3),
+ * since it is possible (and likely) that after reading data out
+ * of this buffer, there will be leftover data which is put back into
+ * the buffer, only at a different offset. This means that the
+ * source and destination pointers CAN overlap; using memcpy(3) would
+ * lead to subtle memory copy issue (e.g. Bug#3743).
+ *
+ * This manifested as hard-to-reproduce SFTP upload/download stalls,
+ * segfaults, etc, due to corrupted memory being read out as
+ * packet lengths and such.
+ */
+ memmove(curr_buf + curr_buflen, data, datalen);
curr_buflen += datalen;
}