Die if we overflowed the args[] array when building up the remote

command in do_cmd().

diff --git a/main.c b/main.c
index 0a0794a..e26c7b1 100644 (file)
--- a/main.c
+++ b/main.c
@@ -221,12 +221,13 @@ static void show_malloc_stats(void)
 
 
 /* Start the remote shell.   cmd may be NULL to use the default. */
-static pid_t do_cmd(char *cmd,char *machine,char *user,char *path,int *f_in,int *f_out)
+static pid_t do_cmd(char *cmd, char *machine, char *user, char *path,
+                   int *f_in, int *f_out)
 {
+       int i, argc = 0;
        char *args[100];
-       int i,argc=0;
        pid_t ret;
-       char *tok,*dir=NULL;
+       char *tok, *dir = NULL;
        int dash_l_set = 0;
 
        if (!read_batch && !local_server) {
@@ -239,9 +240,8 @@ static pid_t do_cmd(char *cmd,char *machine,char *user,char *path,int *f_in,int
                if (!cmd)
                        goto oom;
 
-               for (tok=strtok(cmd," ");tok;tok=strtok(NULL," ")) {
+               for (tok = strtok(cmd, " "); tok; tok = strtok(NULL, " "))
                        args[argc++] = tok;
-               }
 
                /* check to see if we've already been given '-l user' in
                 * the remote-shell command */
@@ -285,6 +285,11 @@ static pid_t do_cmd(char *cmd,char *machine,char *user,char *path,int *f_in,int
        if (!daemon_over_rsh && path && *path)
                args[argc++] = path;
 
+       if (argc >= (int)(sizeof args / sizeof args[0])) {
+               rprintf(FERROR, "internal: args[] overflowed in do_cmd()\n");
+               exit_cleanup(RERR_MALLOC); /* XXX Need better RERR? */
+       }
+
        args[argc] = NULL;
 
        if (verbose > 3) {
@@ -491,7 +496,7 @@ static void do_server_recv(int f_in, int f_out, int argc,char *argv[])
 {
        int status;
        struct file_list *flist;
-       char *local_name=NULL;
+       char *local_name = NULL;
        char *dir = NULL;
 
        if (verbose > 2) {