gmtime(3) / locatime(3) can fail when timestamps are way off.

Add missing error checks to all calls under libexec/

Input & OK millert

Delete obsolete /* ARGSUSED */ lint comments.

ok miod@ millert@

Convert K&R function definitions to modern C.

OK naddy@, millert@

Constify function parameters.

OK martijn@

Remove useless islower(2) before toupper(3).

OK martijn@

Removes the useless FILE* parameter of get_line().
While here fix minor whitespace mistake.

"looks fine to me" chris@

Avoid passing a NULL name to retrieve(), use "." instead.
Fixes a "vfprintf %s NULL" warning in ftpd.
OK deraadt@ tb@

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

rm dead code and simplify ftpd_popen. this code has only called
its statically linked ls_main for some time now.
from Jan Klemkow
ok deraadt

Don't send multiple error messages in response to a single command

While a few commands (such as HELP and NOOP) are allowed in between
USER and PASS, most of the others are not. However if such command
is issued, ftpd should abort the command evaluation early and reply
with "530 Please login with USER and PASS."

From form@, with input from deraadt@ and OK millert@

memset() of password field should be explicit_bzero().
[Not using freezero() in yacc files yet]

trim down some NBBY references. 8 bits ought to be enough for anyone.

Convert %q to %ll with long long casts for printf()
Delete pointless casts to off_t, void*, and uid_t

ok krw@

don't need to ifdef setproctitle

unifdef some oldness. (BSD not defined since removal of param.h)
ok jca sthen

calloc() is prototyped; do not cast result

Eliminate use of TM_YEAR_BASE. OK guenther@ deraadt@ miod@

tzfile.h is an internal header that should never have been installed.
What's worse, the tzfile.h that gets installed is over 20 years old
and doesn't match the real tzfile.h in libc/time. This makes the
tree safe for /usr/include/tzfile.h removal. The TM_YEAR_BASE
define has been moved to time.h temporarily until its usage is
replaced by 1900 in the tree. Actual removal of tzfile.h is pending
a ports build. Based on a diff from deraadt@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Fix REST (restart transfer) for offsets large than 2GB. OK okan@

unsigned char for ctype
ok okan kettenis

In preparation for getline and getdelim additions to libc, rename getline()
occurrences to get_line().
Based on a diff from Jan Klemkow <j-dot-klemkow-at-wemelug-dot-de> to tech.

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms

Fix minor bug in the previous commit, which could hang the
current session, when the last character of an overly long line
was a newline character. Additionally reply with
500 "Command too long" for commands, which are too large.

Issue found and proposed fix by Luke Mewburn <lukem@NetBSD.org>.

ok millert@

Don't split large commands into multiple commands on a 512-byte
boundary but just fail on them. This prevents CSRF-like attacks,
when a web browser is used to access an ftp server.

Reported by Maksymilian Arciemowicz <cxib@securityreason.com>.

ok millert@ martynas@

Include file order must be "monitor.h" before "extern.h" otherwise enum
auth_ret is referenced before it is declared, which is not allowed by C99.

Ok krw@, millert@, gilles@

lint cleanup; ok ray moritz dhill

make syscalls in the monitor restartable when signals occur, as was
the case before privsep and only wait() for our slave processes.
with help from millert@

ok millert@ henning@

seperate reply_r, like earlier change but safer; moritz ok

reply() used to play a lot with stdout, expecially fflush(stdout).
The recent change is to avoid stdio. That's good, except there are
nearly 130 calls to this function, yet what if one of them depended on
fflush() or something else in this code? The semantic change was
never checked. That is not how we do development -- back this out
until we know that checking work has been done.

make reply() reentrant. fixes a signal race.
ok henning@

privilege seperate ftpd
handle the pre-authentication phase (minus a tiny tiny tiny amount
of code after accept()) in an unprivileged process, asking the
privileged monitor for help where needed.
work by Moritz Jodeit <moritz@jodeit.org> with help from theo and me
tests theo ian@ matthieu@ ben@networkinsanity.com a.schlichting@lemarit.com

spacing

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

* use lostconn() as the SIGALRM handler in receive_data() as originally
done by downsj@ in revision 1.54.

* some -Wall cleanup
- only declare check_host() if TCPWRAPPERS is defined.
- use socklen_t where appropriate instead of int (pointer signedness
warnings).
- {u_}char * pointer signedness warnings.

ok millert@

Initialize SIGALRM handler once in main(), instead of in several
different locations.

This fixes a problem where the SIGALRM handler was being set to an
uninitialized pointer in receive_data(). Originally reported to the
misc@ list by Colin Harford.

ok millert@

Rewrite upper().

millert@ ok

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

Fix leak in `EPSV ALL`.
Since now ``ALL'' should be treated like CRLF, COMMA, etc.

millert@ ok

protect `RNTO` from NULL pointer.

millert@ ok

s is pointer. 0 -> NULL.

millert@ ok

Catch not valid chmod value earlier. This make sense, before we didn't
handle some situations and pass value to chmod() instead of fatal.
Idea stolen from `SITE UMASK` handler.

millert@ ok

lookup() returns pointer. Convert 0 -> NULL.

millert@ ok

``pathname'' can be NULL here too.

millert@ ok

reject SIZE request for ascii mode if file is larger than 10k.

Close potential memory leak wrt "fromname"; inspired by similar FreeBSD
changes.

STRING is never NULL so there is no need to test it for NULL before
freeing it.

Fix memory leak with EPRT command; Hiroyuki YAMAMORI

kill more registers;

millert@ ok

Kill setjmp/longjmp
o fix error recovery in the parser so there is no longer a need for jmping
o make SIGURG handler interupt syscalls and just set a flag that we test
for later.

Use waitpid() not wait3() for portability. Restart waitpid() loop
if another signal interrupts us.

Calling dologout() from signal handlers is safe because it doesn't
use stdio, nor do the two functions it calls (logout and ftpdlogwtmp).

more signal marks, and some syslog_r in handlers

cleanup EPSV/EPRT error handling. avoid possible memory leak (getaddrinfo).
correct error code on unsupported protocol parameter against EPRT (522).

combine check_epsvall + check_login into check_login_epsvall.
we cnanot split check_login and check_epsvall. if we do that, we end up
generating two results against single comand.

make sure to check_login on EPSV/LPSV. move epvsall check into check_epsvall.

pr 772; -u blocks chmod command, michaels@inet.no

indent

(char *)0 -> NULL cleanup. From NetBSD

IPv6 support from KAME.
XXX kerberos and tcp_wrapper needs checking

correct; dholland@hcs.harvard.edu, root@zen.ics.uwe.ac.uk

use TM_YEAR_BASE; lukem

Work around a glob() and Netscape problem; the local glob() hacker may
want to read the commentary if he wants another project.

Be so specific about the exact details of a PORT command error, that we
strike fear into the hearts of attackers (naw, I bet not...)

bitch if attacker tries to make PORT values overflow each other (they cannot anyways, but let him know we are onto him)

default to violating the RFC wrt the PORT command. Use -P to conform to the
RFC and possibly open up non-OpenBSD boxes in a trust relationship on your
network to possible ftp bounce attacks...

tabify

setproctitle less

Fix for the shift-reduce conflict, contributed by dholland@hcs.harvard.edu,
who is porting the OpenBSD ftpd to (of all things) Linux.

ftpd now eventually times out if a ftp client does:
pasv
list
and then crashes.
The timeout should only apply the the accept(), so that transfers can
take as long as necessary to complete.
Thanks to Theo for moving toolong() to extern.h so that it can be used
in ftpd.c as well as in ftpcmd.y.

Fixed a memory leak associated with the HELP and SITE HELP commands.

reduced the number of command availibe to users who are not logged
in, fixed a memory leak in RNFR

clear passwd, for safety

de-gibble ftpd for w

strcpy -> strncpy, kill off a strdup() clone.

sync with netbsd 960418

branches: 1.1.1;
Initial revision

Delete obsolete /* ARGSUSED */ lint comments.

ok miod@ millert@

Convert K&R function definitions to modern C.

OK naddy@, millert@

Constify function parameters.

OK martijn@

Remove useless islower(2) before toupper(3).

OK martijn@

Removes the useless FILE* parameter of get_line().
While here fix minor whitespace mistake.

"looks fine to me" chris@

Avoid passing a NULL name to retrieve(), use "." instead.
Fixes a "vfprintf %s NULL" warning in ftpd.
OK deraadt@ tb@

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

rm dead code and simplify ftpd_popen. this code has only called
its statically linked ls_main for some time now.
from Jan Klemkow
ok deraadt

Don't send multiple error messages in response to a single command

While a few commands (such as HELP and NOOP) are allowed in between
USER and PASS, most of the others are not. However if such command
is issued, ftpd should abort the command evaluation early and reply
with "530 Please login with USER and PASS."

From form@, with input from deraadt@ and OK millert@

memset() of password field should be explicit_bzero().
[Not using freezero() in yacc files yet]

trim down some NBBY references. 8 bits ought to be enough for anyone.

Convert %q to %ll with long long casts for printf()
Delete pointless casts to off_t, void*, and uid_t

ok krw@

don't need to ifdef setproctitle

unifdef some oldness. (BSD not defined since removal of param.h)
ok jca sthen

calloc() is prototyped; do not cast result

Eliminate use of TM_YEAR_BASE. OK guenther@ deraadt@ miod@

tzfile.h is an internal header that should never have been installed.
What's worse, the tzfile.h that gets installed is over 20 years old
and doesn't match the real tzfile.h in libc/time. This makes the
tree safe for /usr/include/tzfile.h removal. The TM_YEAR_BASE
define has been moved to time.h temporarily until its usage is
replaced by 1900 in the tree. Actual removal of tzfile.h is pending
a ports build. Based on a diff from deraadt@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Fix REST (restart transfer) for offsets large than 2GB. OK okan@

unsigned char for ctype
ok okan kettenis

In preparation for getline and getdelim additions to libc, rename getline()
occurrences to get_line().
Based on a diff from Jan Klemkow <j-dot-klemkow-at-wemelug-dot-de> to tech.

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms

Fix minor bug in the previous commit, which could hang the
current session, when the last character of an overly long line
was a newline character. Additionally reply with
500 "Command too long" for commands, which are too large.

Issue found and proposed fix by Luke Mewburn <lukem@NetBSD.org>.

ok millert@

Don't split large commands into multiple commands on a 512-byte
boundary but just fail on them. This prevents CSRF-like attacks,
when a web browser is used to access an ftp server.

Reported by Maksymilian Arciemowicz <cxib@securityreason.com>.

ok millert@ martynas@

Include file order must be "monitor.h" before "extern.h" otherwise enum
auth_ret is referenced before it is declared, which is not allowed by C99.

Ok krw@, millert@, gilles@

lint cleanup; ok ray moritz dhill

make syscalls in the monitor restartable when signals occur, as was
the case before privsep and only wait() for our slave processes.
with help from millert@

ok millert@ henning@

seperate reply_r, like earlier change but safer; moritz ok

reply() used to play a lot with stdout, expecially fflush(stdout).
The recent change is to avoid stdio. That's good, except there are
nearly 130 calls to this function, yet what if one of them depended on
fflush() or something else in this code? The semantic change was
never checked. That is not how we do development -- back this out
until we know that checking work has been done.

make reply() reentrant. fixes a signal race.
ok henning@

privilege seperate ftpd
handle the pre-authentication phase (minus a tiny tiny tiny amount
of code after accept()) in an unprivileged process, asking the
privileged monitor for help where needed.
work by Moritz Jodeit <moritz@jodeit.org> with help from theo and me
tests theo ian@ matthieu@ ben@networkinsanity.com a.schlichting@lemarit.com

spacing

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

* use lostconn() as the SIGALRM handler in receive_data() as originally
done by downsj@ in revision 1.54.

* some -Wall cleanup
- only declare check_host() if TCPWRAPPERS is defined.
- use socklen_t where appropriate instead of int (pointer signedness
warnings).
- {u_}char * pointer signedness warnings.

ok millert@

Initialize SIGALRM handler once in main(), instead of in several
different locations.

This fixes a problem where the SIGALRM handler was being set to an
uninitialized pointer in receive_data(). Originally reported to the
misc@ list by Colin Harford.

ok millert@

Rewrite upper().

millert@ ok

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

Fix leak in `EPSV ALL`.
Since now ``ALL'' should be treated like CRLF, COMMA, etc.

millert@ ok

protect `RNTO` from NULL pointer.

millert@ ok

s is pointer. 0 -> NULL.

millert@ ok

Catch not valid chmod value earlier. This make sense, before we didn't
handle some situations and pass value to chmod() instead of fatal.
Idea stolen from `SITE UMASK` handler.

millert@ ok

lookup() returns pointer. Convert 0 -> NULL.

millert@ ok

``pathname'' can be NULL here too.

millert@ ok

reject SIZE request for ascii mode if file is larger than 10k.

Close potential memory leak wrt "fromname"; inspired by similar FreeBSD
changes.

STRING is never NULL so there is no need to test it for NULL before
freeing it.

Fix memory leak with EPRT command; Hiroyuki YAMAMORI

kill more registers;

millert@ ok

Kill setjmp/longjmp
o fix error recovery in the parser so there is no longer a need for jmping
o make SIGURG handler interupt syscalls and just set a flag that we test
for later.

Use waitpid() not wait3() for portability. Restart waitpid() loop
if another signal interrupts us.

Calling dologout() from signal handlers is safe because it doesn't
use stdio, nor do the two functions it calls (logout and ftpdlogwtmp).

more signal marks, and some syslog_r in handlers

cleanup EPSV/EPRT error handling. avoid possible memory leak (getaddrinfo).
correct error code on unsupported protocol parameter against EPRT (522).

combine check_epsvall + check_login into check_login_epsvall.
we cnanot split check_login and check_epsvall. if we do that, we end up
generating two results against single comand.

make sure to check_login on EPSV/LPSV. move epvsall check into check_epsvall.

pr 772; -u blocks chmod command, michaels@inet.no

indent

(char *)0 -> NULL cleanup. From NetBSD

IPv6 support from KAME.
XXX kerberos and tcp_wrapper needs checking

correct; dholland@hcs.harvard.edu, root@zen.ics.uwe.ac.uk

use TM_YEAR_BASE; lukem

Work around a glob() and Netscape problem; the local glob() hacker may
want to read the commentary if he wants another project.

Be so specific about the exact details of a PORT command error, that we
strike fear into the hearts of attackers (naw, I bet not...)

bitch if attacker tries to make PORT values overflow each other (they cannot anyways, but let him know we are onto him)

default to violating the RFC wrt the PORT command. Use -P to conform to the
RFC and possibly open up non-OpenBSD boxes in a trust relationship on your
network to possible ftp bounce attacks...

tabify

setproctitle less

Fix for the shift-reduce conflict, contributed by dholland@hcs.harvard.edu,
who is porting the OpenBSD ftpd to (of all things) Linux.

ftpd now eventually times out if a ftp client does:
pasv
list
and then crashes.
The timeout should only apply the the accept(), so that transfers can
take as long as necessary to complete.
Thanks to Theo for moving toolong() to extern.h so that it can be used
in ftpd.c as well as in ftpcmd.y.

Fixed a memory leak associated with the HELP and SITE HELP commands.

reduced the number of command availibe to users who are not logged
in, fixed a memory leak in RNFR

clear passwd, for safety

de-gibble ftpd for w

strcpy -> strncpy, kill off a strdup() clone.

sync with netbsd 960418

branches: 1.1.1;
Initial revision

Convert K&R function definitions to modern C.

OK naddy@, millert@

Constify function parameters.

OK martijn@

Remove useless islower(2) before toupper(3).

OK martijn@

Removes the useless FILE* parameter of get_line().
While here fix minor whitespace mistake.

"looks fine to me" chris@

Avoid passing a NULL name to retrieve(), use "." instead.
Fixes a "vfprintf %s NULL" warning in ftpd.
OK deraadt@ tb@

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

rm dead code and simplify ftpd_popen. this code has only called
its statically linked ls_main for some time now.
from Jan Klemkow
ok deraadt

Don't send multiple error messages in response to a single command

While a few commands (such as HELP and NOOP) are allowed in between
USER and PASS, most of the others are not. However if such command
is issued, ftpd should abort the command evaluation early and reply
with "530 Please login with USER and PASS."

From form@, with input from deraadt@ and OK millert@

memset() of password field should be explicit_bzero().
[Not using freezero() in yacc files yet]

trim down some NBBY references. 8 bits ought to be enough for anyone.

Convert %q to %ll with long long casts for printf()
Delete pointless casts to off_t, void*, and uid_t

ok krw@

don't need to ifdef setproctitle

unifdef some oldness. (BSD not defined since removal of param.h)
ok jca sthen

calloc() is prototyped; do not cast result

Eliminate use of TM_YEAR_BASE. OK guenther@ deraadt@ miod@

tzfile.h is an internal header that should never have been installed.
What's worse, the tzfile.h that gets installed is over 20 years old
and doesn't match the real tzfile.h in libc/time. This makes the
tree safe for /usr/include/tzfile.h removal. The TM_YEAR_BASE
define has been moved to time.h temporarily until its usage is
replaced by 1900 in the tree. Actual removal of tzfile.h is pending
a ports build. Based on a diff from deraadt@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Fix REST (restart transfer) for offsets large than 2GB. OK okan@

unsigned char for ctype
ok okan kettenis

In preparation for getline and getdelim additions to libc, rename getline()
occurrences to get_line().
Based on a diff from Jan Klemkow <j-dot-klemkow-at-wemelug-dot-de> to tech.

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms

Fix minor bug in the previous commit, which could hang the
current session, when the last character of an overly long line
was a newline character. Additionally reply with
500 "Command too long" for commands, which are too large.

Issue found and proposed fix by Luke Mewburn <lukem@NetBSD.org>.

ok millert@

Don't split large commands into multiple commands on a 512-byte
boundary but just fail on them. This prevents CSRF-like attacks,
when a web browser is used to access an ftp server.

Reported by Maksymilian Arciemowicz <cxib@securityreason.com>.

ok millert@ martynas@

Include file order must be "monitor.h" before "extern.h" otherwise enum
auth_ret is referenced before it is declared, which is not allowed by C99.

Ok krw@, millert@, gilles@

lint cleanup; ok ray moritz dhill

make syscalls in the monitor restartable when signals occur, as was
the case before privsep and only wait() for our slave processes.
with help from millert@

ok millert@ henning@

seperate reply_r, like earlier change but safer; moritz ok

reply() used to play a lot with stdout, expecially fflush(stdout).
The recent change is to avoid stdio. That's good, except there are
nearly 130 calls to this function, yet what if one of them depended on
fflush() or something else in this code? The semantic change was
never checked. That is not how we do development -- back this out
until we know that checking work has been done.

make reply() reentrant. fixes a signal race.
ok henning@

privilege seperate ftpd
handle the pre-authentication phase (minus a tiny tiny tiny amount
of code after accept()) in an unprivileged process, asking the
privileged monitor for help where needed.
work by Moritz Jodeit <moritz@jodeit.org> with help from theo and me
tests theo ian@ matthieu@ ben@networkinsanity.com a.schlichting@lemarit.com

spacing

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

* use lostconn() as the SIGALRM handler in receive_data() as originally
done by downsj@ in revision 1.54.

* some -Wall cleanup
- only declare check_host() if TCPWRAPPERS is defined.
- use socklen_t where appropriate instead of int (pointer signedness
warnings).
- {u_}char * pointer signedness warnings.

ok millert@

Initialize SIGALRM handler once in main(), instead of in several
different locations.

This fixes a problem where the SIGALRM handler was being set to an
uninitialized pointer in receive_data(). Originally reported to the
misc@ list by Colin Harford.

ok millert@

Rewrite upper().

millert@ ok

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

Fix leak in `EPSV ALL`.
Since now ``ALL'' should be treated like CRLF, COMMA, etc.

millert@ ok

protect `RNTO` from NULL pointer.

millert@ ok

s is pointer. 0 -> NULL.

millert@ ok

Catch not valid chmod value earlier. This make sense, before we didn't
handle some situations and pass value to chmod() instead of fatal.
Idea stolen from `SITE UMASK` handler.

millert@ ok

lookup() returns pointer. Convert 0 -> NULL.

millert@ ok

``pathname'' can be NULL here too.

millert@ ok

reject SIZE request for ascii mode if file is larger than 10k.

Close potential memory leak wrt "fromname"; inspired by similar FreeBSD
changes.

STRING is never NULL so there is no need to test it for NULL before
freeing it.

Fix memory leak with EPRT command; Hiroyuki YAMAMORI

kill more registers;

millert@ ok

Kill setjmp/longjmp
o fix error recovery in the parser so there is no longer a need for jmping
o make SIGURG handler interupt syscalls and just set a flag that we test
for later.

Use waitpid() not wait3() for portability. Restart waitpid() loop
if another signal interrupts us.

Calling dologout() from signal handlers is safe because it doesn't
use stdio, nor do the two functions it calls (logout and ftpdlogwtmp).

more signal marks, and some syslog_r in handlers

cleanup EPSV/EPRT error handling. avoid possible memory leak (getaddrinfo).
correct error code on unsupported protocol parameter against EPRT (522).

combine check_epsvall + check_login into check_login_epsvall.
we cnanot split check_login and check_epsvall. if we do that, we end up
generating two results against single comand.

make sure to check_login on EPSV/LPSV. move epvsall check into check_epsvall.

pr 772; -u blocks chmod command, michaels@inet.no

indent

(char *)0 -> NULL cleanup. From NetBSD

IPv6 support from KAME.
XXX kerberos and tcp_wrapper needs checking

correct; dholland@hcs.harvard.edu, root@zen.ics.uwe.ac.uk

use TM_YEAR_BASE; lukem

Work around a glob() and Netscape problem; the local glob() hacker may
want to read the commentary if he wants another project.

Be so specific about the exact details of a PORT command error, that we
strike fear into the hearts of attackers (naw, I bet not...)

bitch if attacker tries to make PORT values overflow each other (they cannot anyways, but let him know we are onto him)

default to violating the RFC wrt the PORT command. Use -P to conform to the
RFC and possibly open up non-OpenBSD boxes in a trust relationship on your
network to possible ftp bounce attacks...

tabify

setproctitle less

Fix for the shift-reduce conflict, contributed by dholland@hcs.harvard.edu,
who is porting the OpenBSD ftpd to (of all things) Linux.

ftpd now eventually times out if a ftp client does:
pasv
list
and then crashes.
The timeout should only apply the the accept(), so that transfers can
take as long as necessary to complete.
Thanks to Theo for moving toolong() to extern.h so that it can be used
in ftpd.c as well as in ftpcmd.y.

Fixed a memory leak associated with the HELP and SITE HELP commands.

reduced the number of command availibe to users who are not logged
in, fixed a memory leak in RNFR

clear passwd, for safety

de-gibble ftpd for w

strcpy -> strncpy, kill off a strdup() clone.

sync with netbsd 960418

branches: 1.1.1;
Initial revision

Constify function parameters.

OK martijn@

Remove useless islower(2) before toupper(3).

OK martijn@

Removes the useless FILE* parameter of get_line().
While here fix minor whitespace mistake.

"looks fine to me" chris@

Avoid passing a NULL name to retrieve(), use "." instead.
Fixes a "vfprintf %s NULL" warning in ftpd.
OK deraadt@ tb@

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

rm dead code and simplify ftpd_popen. this code has only called
its statically linked ls_main for some time now.
from Jan Klemkow
ok deraadt

Don't send multiple error messages in response to a single command

While a few commands (such as HELP and NOOP) are allowed in between
USER and PASS, most of the others are not. However if such command
is issued, ftpd should abort the command evaluation early and reply
with "530 Please login with USER and PASS."

From form@, with input from deraadt@ and OK millert@

memset() of password field should be explicit_bzero().
[Not using freezero() in yacc files yet]

trim down some NBBY references. 8 bits ought to be enough for anyone.

Convert %q to %ll with long long casts for printf()
Delete pointless casts to off_t, void*, and uid_t

ok krw@

don't need to ifdef setproctitle

unifdef some oldness. (BSD not defined since removal of param.h)
ok jca sthen

calloc() is prototyped; do not cast result

Eliminate use of TM_YEAR_BASE. OK guenther@ deraadt@ miod@

tzfile.h is an internal header that should never have been installed.
What's worse, the tzfile.h that gets installed is over 20 years old
and doesn't match the real tzfile.h in libc/time. This makes the
tree safe for /usr/include/tzfile.h removal. The TM_YEAR_BASE
define has been moved to time.h temporarily until its usage is
replaced by 1900 in the tree. Actual removal of tzfile.h is pending
a ports build. Based on a diff from deraadt@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Fix REST (restart transfer) for offsets large than 2GB. OK okan@

unsigned char for ctype
ok okan kettenis

In preparation for getline and getdelim additions to libc, rename getline()
occurrences to get_line().
Based on a diff from Jan Klemkow <j-dot-klemkow-at-wemelug-dot-de> to tech.

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms

Fix minor bug in the previous commit, which could hang the
current session, when the last character of an overly long line
was a newline character. Additionally reply with
500 "Command too long" for commands, which are too large.

Issue found and proposed fix by Luke Mewburn <lukem@NetBSD.org>.

ok millert@

Don't split large commands into multiple commands on a 512-byte
boundary but just fail on them. This prevents CSRF-like attacks,
when a web browser is used to access an ftp server.

Reported by Maksymilian Arciemowicz <cxib@securityreason.com>.

ok millert@ martynas@

Include file order must be "monitor.h" before "extern.h" otherwise enum
auth_ret is referenced before it is declared, which is not allowed by C99.

Ok krw@, millert@, gilles@

lint cleanup; ok ray moritz dhill

make syscalls in the monitor restartable when signals occur, as was
the case before privsep and only wait() for our slave processes.
with help from millert@

ok millert@ henning@

seperate reply_r, like earlier change but safer; moritz ok

reply() used to play a lot with stdout, expecially fflush(stdout).
The recent change is to avoid stdio. That's good, except there are
nearly 130 calls to this function, yet what if one of them depended on
fflush() or something else in this code? The semantic change was
never checked. That is not how we do development -- back this out
until we know that checking work has been done.

make reply() reentrant. fixes a signal race.
ok henning@

privilege seperate ftpd
handle the pre-authentication phase (minus a tiny tiny tiny amount
of code after accept()) in an unprivileged process, asking the
privileged monitor for help where needed.
work by Moritz Jodeit <moritz@jodeit.org> with help from theo and me
tests theo ian@ matthieu@ ben@networkinsanity.com a.schlichting@lemarit.com

spacing

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

* use lostconn() as the SIGALRM handler in receive_data() as originally
done by downsj@ in revision 1.54.

* some -Wall cleanup
- only declare check_host() if TCPWRAPPERS is defined.
- use socklen_t where appropriate instead of int (pointer signedness
warnings).
- {u_}char * pointer signedness warnings.

ok millert@

Initialize SIGALRM handler once in main(), instead of in several
different locations.

This fixes a problem where the SIGALRM handler was being set to an
uninitialized pointer in receive_data(). Originally reported to the
misc@ list by Colin Harford.

ok millert@

Rewrite upper().

millert@ ok

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

Fix leak in `EPSV ALL`.
Since now ``ALL'' should be treated like CRLF, COMMA, etc.

millert@ ok

protect `RNTO` from NULL pointer.

millert@ ok

s is pointer. 0 -> NULL.

millert@ ok

Catch not valid chmod value earlier. This make sense, before we didn't
handle some situations and pass value to chmod() instead of fatal.
Idea stolen from `SITE UMASK` handler.

millert@ ok

lookup() returns pointer. Convert 0 -> NULL.

millert@ ok

``pathname'' can be NULL here too.

millert@ ok

reject SIZE request for ascii mode if file is larger than 10k.

Close potential memory leak wrt "fromname"; inspired by similar FreeBSD
changes.

STRING is never NULL so there is no need to test it for NULL before
freeing it.

Fix memory leak with EPRT command; Hiroyuki YAMAMORI

kill more registers;

millert@ ok

Kill setjmp/longjmp
o fix error recovery in the parser so there is no longer a need for jmping
o make SIGURG handler interupt syscalls and just set a flag that we test
for later.

Use waitpid() not wait3() for portability. Restart waitpid() loop
if another signal interrupts us.

Calling dologout() from signal handlers is safe because it doesn't
use stdio, nor do the two functions it calls (logout and ftpdlogwtmp).

more signal marks, and some syslog_r in handlers

cleanup EPSV/EPRT error handling. avoid possible memory leak (getaddrinfo).
correct error code on unsupported protocol parameter against EPRT (522).

combine check_epsvall + check_login into check_login_epsvall.
we cnanot split check_login and check_epsvall. if we do that, we end up
generating two results against single comand.

make sure to check_login on EPSV/LPSV. move epvsall check into check_epsvall.

pr 772; -u blocks chmod command, michaels@inet.no

indent

(char *)0 -> NULL cleanup. From NetBSD

IPv6 support from KAME.
XXX kerberos and tcp_wrapper needs checking

correct; dholland@hcs.harvard.edu, root@zen.ics.uwe.ac.uk

use TM_YEAR_BASE; lukem

Work around a glob() and Netscape problem; the local glob() hacker may
want to read the commentary if he wants another project.

Be so specific about the exact details of a PORT command error, that we
strike fear into the hearts of attackers (naw, I bet not...)

bitch if attacker tries to make PORT values overflow each other (they cannot anyways, but let him know we are onto him)

default to violating the RFC wrt the PORT command. Use -P to conform to the
RFC and possibly open up non-OpenBSD boxes in a trust relationship on your
network to possible ftp bounce attacks...

tabify

setproctitle less

Fix for the shift-reduce conflict, contributed by dholland@hcs.harvard.edu,
who is porting the OpenBSD ftpd to (of all things) Linux.

ftpd now eventually times out if a ftp client does:
pasv
list
and then crashes.
The timeout should only apply the the accept(), so that transfers can
take as long as necessary to complete.
Thanks to Theo for moving toolong() to extern.h so that it can be used
in ftpd.c as well as in ftpcmd.y.

Fixed a memory leak associated with the HELP and SITE HELP commands.

reduced the number of command availibe to users who are not logged
in, fixed a memory leak in RNFR

clear passwd, for safety

de-gibble ftpd for w

strcpy -> strncpy, kill off a strdup() clone.

sync with netbsd 960418

branches: 1.1.1;
Initial revision

Remove useless islower(2) before toupper(3).

OK martijn@

Removes the useless FILE* parameter of get_line().
While here fix minor whitespace mistake.

"looks fine to me" chris@

Avoid passing a NULL name to retrieve(), use "." instead.
Fixes a "vfprintf %s NULL" warning in ftpd.
OK deraadt@ tb@

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

rm dead code and simplify ftpd_popen. this code has only called
its statically linked ls_main for some time now.
from Jan Klemkow
ok deraadt

Don't send multiple error messages in response to a single command

While a few commands (such as HELP and NOOP) are allowed in between
USER and PASS, most of the others are not. However if such command
is issued, ftpd should abort the command evaluation early and reply
with "530 Please login with USER and PASS."

From form@, with input from deraadt@ and OK millert@

memset() of password field should be explicit_bzero().
[Not using freezero() in yacc files yet]

trim down some NBBY references. 8 bits ought to be enough for anyone.

Convert %q to %ll with long long casts for printf()
Delete pointless casts to off_t, void*, and uid_t

ok krw@

don't need to ifdef setproctitle

unifdef some oldness. (BSD not defined since removal of param.h)
ok jca sthen

calloc() is prototyped; do not cast result

Eliminate use of TM_YEAR_BASE. OK guenther@ deraadt@ miod@

tzfile.h is an internal header that should never have been installed.
What's worse, the tzfile.h that gets installed is over 20 years old
and doesn't match the real tzfile.h in libc/time. This makes the
tree safe for /usr/include/tzfile.h removal. The TM_YEAR_BASE
define has been moved to time.h temporarily until its usage is
replaced by 1900 in the tree. Actual removal of tzfile.h is pending
a ports build. Based on a diff from deraadt@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Fix REST (restart transfer) for offsets large than 2GB. OK okan@

unsigned char for ctype
ok okan kettenis

In preparation for getline and getdelim additions to libc, rename getline()
occurrences to get_line().
Based on a diff from Jan Klemkow <j-dot-klemkow-at-wemelug-dot-de> to tech.

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms

Fix minor bug in the previous commit, which could hang the
current session, when the last character of an overly long line
was a newline character. Additionally reply with
500 "Command too long" for commands, which are too large.

Issue found and proposed fix by Luke Mewburn <lukem@NetBSD.org>.

ok millert@

Don't split large commands into multiple commands on a 512-byte
boundary but just fail on them. This prevents CSRF-like attacks,
when a web browser is used to access an ftp server.

Reported by Maksymilian Arciemowicz <cxib@securityreason.com>.

ok millert@ martynas@

Include file order must be "monitor.h" before "extern.h" otherwise enum
auth_ret is referenced before it is declared, which is not allowed by C99.

Ok krw@, millert@, gilles@

lint cleanup; ok ray moritz dhill

make syscalls in the monitor restartable when signals occur, as was
the case before privsep and only wait() for our slave processes.
with help from millert@

ok millert@ henning@

seperate reply_r, like earlier change but safer; moritz ok

reply() used to play a lot with stdout, expecially fflush(stdout).
The recent change is to avoid stdio. That's good, except there are
nearly 130 calls to this function, yet what if one of them depended on
fflush() or something else in this code? The semantic change was
never checked. That is not how we do development -- back this out
until we know that checking work has been done.

make reply() reentrant. fixes a signal race.
ok henning@

privilege seperate ftpd
handle the pre-authentication phase (minus a tiny tiny tiny amount
of code after accept()) in an unprivileged process, asking the
privileged monitor for help where needed.
work by Moritz Jodeit <moritz@jodeit.org> with help from theo and me
tests theo ian@ matthieu@ ben@networkinsanity.com a.schlichting@lemarit.com

spacing

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

* use lostconn() as the SIGALRM handler in receive_data() as originally
done by downsj@ in revision 1.54.

* some -Wall cleanup
- only declare check_host() if TCPWRAPPERS is defined.
- use socklen_t where appropriate instead of int (pointer signedness
warnings).
- {u_}char * pointer signedness warnings.

ok millert@

Initialize SIGALRM handler once in main(), instead of in several
different locations.

This fixes a problem where the SIGALRM handler was being set to an
uninitialized pointer in receive_data(). Originally reported to the
misc@ list by Colin Harford.

ok millert@

Rewrite upper().

millert@ ok

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

Fix leak in `EPSV ALL`.
Since now ``ALL'' should be treated like CRLF, COMMA, etc.

millert@ ok

protect `RNTO` from NULL pointer.

millert@ ok

s is pointer. 0 -> NULL.

millert@ ok

Catch not valid chmod value earlier. This make sense, before we didn't
handle some situations and pass value to chmod() instead of fatal.
Idea stolen from `SITE UMASK` handler.

millert@ ok

lookup() returns pointer. Convert 0 -> NULL.

millert@ ok

``pathname'' can be NULL here too.

millert@ ok

reject SIZE request for ascii mode if file is larger than 10k.

Close potential memory leak wrt "fromname"; inspired by similar FreeBSD
changes.

STRING is never NULL so there is no need to test it for NULL before
freeing it.

Fix memory leak with EPRT command; Hiroyuki YAMAMORI

kill more registers;

millert@ ok

Kill setjmp/longjmp
o fix error recovery in the parser so there is no longer a need for jmping
o make SIGURG handler interupt syscalls and just set a flag that we test
for later.

Use waitpid() not wait3() for portability. Restart waitpid() loop
if another signal interrupts us.

Calling dologout() from signal handlers is safe because it doesn't
use stdio, nor do the two functions it calls (logout and ftpdlogwtmp).

more signal marks, and some syslog_r in handlers

cleanup EPSV/EPRT error handling. avoid possible memory leak (getaddrinfo).
correct error code on unsupported protocol parameter against EPRT (522).

combine check_epsvall + check_login into check_login_epsvall.
we cnanot split check_login and check_epsvall. if we do that, we end up
generating two results against single comand.

make sure to check_login on EPSV/LPSV. move epvsall check into check_epsvall.

pr 772; -u blocks chmod command, michaels@inet.no

indent

(char *)0 -> NULL cleanup. From NetBSD

IPv6 support from KAME.
XXX kerberos and tcp_wrapper needs checking

correct; dholland@hcs.harvard.edu, root@zen.ics.uwe.ac.uk

use TM_YEAR_BASE; lukem

Work around a glob() and Netscape problem; the local glob() hacker may
want to read the commentary if he wants another project.

Be so specific about the exact details of a PORT command error, that we
strike fear into the hearts of attackers (naw, I bet not...)

bitch if attacker tries to make PORT values overflow each other (they cannot anyways, but let him know we are onto him)

default to violating the RFC wrt the PORT command. Use -P to conform to the
RFC and possibly open up non-OpenBSD boxes in a trust relationship on your
network to possible ftp bounce attacks...

tabify

setproctitle less

Fix for the shift-reduce conflict, contributed by dholland@hcs.harvard.edu,
who is porting the OpenBSD ftpd to (of all things) Linux.

ftpd now eventually times out if a ftp client does:
pasv
list
and then crashes.
The timeout should only apply the the accept(), so that transfers can
take as long as necessary to complete.
Thanks to Theo for moving toolong() to extern.h so that it can be used
in ftpd.c as well as in ftpcmd.y.

Fixed a memory leak associated with the HELP and SITE HELP commands.

reduced the number of command availibe to users who are not logged
in, fixed a memory leak in RNFR

clear passwd, for safety

de-gibble ftpd for w

strcpy -> strncpy, kill off a strdup() clone.

sync with netbsd 960418

branches: 1.1.1;
Initial revision

Removes the useless FILE* parameter of get_line().
While here fix minor whitespace mistake.

"looks fine to me" chris@

Avoid passing a NULL name to retrieve(), use "." instead.
Fixes a "vfprintf %s NULL" warning in ftpd.
OK deraadt@ tb@

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

rm dead code and simplify ftpd_popen. this code has only called
its statically linked ls_main for some time now.
from Jan Klemkow
ok deraadt

Don't send multiple error messages in response to a single command

While a few commands (such as HELP and NOOP) are allowed in between
USER and PASS, most of the others are not. However if such command
is issued, ftpd should abort the command evaluation early and reply
with "530 Please login with USER and PASS."

From form@, with input from deraadt@ and OK millert@

memset() of password field should be explicit_bzero().
[Not using freezero() in yacc files yet]

trim down some NBBY references. 8 bits ought to be enough for anyone.

Convert %q to %ll with long long casts for printf()
Delete pointless casts to off_t, void*, and uid_t

ok krw@

don't need to ifdef setproctitle

unifdef some oldness. (BSD not defined since removal of param.h)
ok jca sthen

calloc() is prototyped; do not cast result

Eliminate use of TM_YEAR_BASE. OK guenther@ deraadt@ miod@

tzfile.h is an internal header that should never have been installed.
What's worse, the tzfile.h that gets installed is over 20 years old
and doesn't match the real tzfile.h in libc/time. This makes the
tree safe for /usr/include/tzfile.h removal. The TM_YEAR_BASE
define has been moved to time.h temporarily until its usage is
replaced by 1900 in the tree. Actual removal of tzfile.h is pending
a ports build. Based on a diff from deraadt@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

Fix REST (restart transfer) for offsets large than 2GB. OK okan@

unsigned char for ctype
ok okan kettenis

In preparation for getline and getdelim additions to libc, rename getline()
occurrences to get_line().
Based on a diff from Jan Klemkow <j-dot-klemkow-at-wemelug-dot-de> to tech.

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms

Fix minor bug in the previous commit, which could hang the
current session, when the last character of an overly long line
was a newline character. Additionally reply with
500 "Command too long" for commands, which are too large.

Issue found and proposed fix by Luke Mewburn <lukem@NetBSD.org>.

ok millert@

Don't split large commands into multiple commands on a 512-byte
boundary but just fail on them. This prevents CSRF-like attacks,
when a web browser is used to access an ftp server.

Reported by Maksymilian Arciemowicz <cxib@securityreason.com>.

ok millert@ martynas@

Include file order must be "monitor.h" before "extern.h" otherwise enum
auth_ret is referenced before it is declared, which is not allowed by C99.

Ok krw@, millert@, gilles@

lint cleanup; ok ray moritz dhill

make syscalls in the monitor restartable when signals occur, as was
the case before privsep and only wait() for our slave processes.
with help from millert@

ok millert@ henning@

seperate reply_r, like earlier change but safer; moritz ok

reply() used to play a lot with stdout, expecially fflush(stdout).
The recent change is to avoid stdio. That's good, except there are
nearly 130 calls to this function, yet what if one of them depended on
fflush() or something else in this code? The semantic change was
never checked. That is not how we do development -- back this out
until we know that checking work has been done.

make reply() reentrant. fixes a signal race.
ok henning@

privilege seperate ftpd
handle the pre-authentication phase (minus a tiny tiny tiny amount
of code after accept()) in an unprivileged process, asking the
privileged monitor for help where needed.
work by Moritz Jodeit <moritz@jodeit.org> with help from theo and me
tests theo ian@ matthieu@ ben@networkinsanity.com a.schlichting@lemarit.com

spacing

Remove the advertising clause in the UCB license which Berkeley
rescinded 22 July 1999. Proofed by myself and Theo.

* use lostconn() as the SIGALRM handler in receive_data() as originally
done by downsj@ in revision 1.54.

* some -Wall cleanup
- only declare check_host() if TCPWRAPPERS is defined.
- use socklen_t where appropriate instead of int (pointer signedness
warnings).
- {u_}char * pointer signedness warnings.

ok millert@

Initialize SIGALRM handler once in main(), instead of in several
different locations.

This fixes a problem where the SIGALRM handler was being set to an
uninitialized pointer in receive_data(). Originally reported to the
misc@ list by Colin Harford.

ok millert@

Rewrite upper().

millert@ ok

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

Fix leak in `EPSV ALL`.
Since now ``ALL'' should be treated like CRLF, COMMA, etc.

millert@ ok

protect `RNTO` from NULL pointer.

millert@ ok

s is pointer. 0 -> NULL.

millert@ ok

Catch not valid chmod value earlier. This make sense, before we didn't
handle some situations and pass value to chmod() instead of fatal.
Idea stolen from `SITE UMASK` handler.

millert@ ok

lookup() returns pointer. Convert 0 -> NULL.

millert@ ok

``pathname'' can be NULL here too.

millert@ ok

reject SIZE request for ascii mode if file is larger than 10k.

Close potential memory leak wrt "fromname"; inspired by similar FreeBSD
changes.

STRING is never NULL so there is no need to test it for NULL before
freeing it.

Fix memory leak with EPRT command; Hiroyuki YAMAMORI

kill more registers;

millert@ ok

Kill setjmp/longjmp
o fix error recovery in the parser so there is no longer a need for jmping
o make SIGURG handler interupt syscalls and just set a flag that we test
for later.

Use waitpid() not wait3() for portability. Restart waitpid() loop
if another signal interrupts us.

Calling dologout() from signal handlers is safe because it doesn't
use stdio, nor do the two functions it calls (logout and ftpdlogwtmp).

more signal marks, and some syslog_r in handlers

cleanup EPSV/EPRT error handling. avoid possible memory leak (getaddrinfo).
correct error code on unsupported protocol parameter against EPRT (522).

combine check_epsvall + check_login into check_login_epsvall.
we cnanot split check_login and check_epsvall. if we do that, we end up
generating two results against single comand.

make sure to check_login on EPSV/LPSV. move epvsall check into check_epsvall.

pr 772; -u blocks chmod command, michaels@inet.no

indent

(char *)0 -> NULL cleanup. From NetBSD

IPv6 support from KAME.
XXX kerberos and tcp_wrapper needs checking

correct; dholland@hcs.harvard.edu, root@zen.ics.uwe.ac.uk

use TM_YEAR_BASE; lukem

Work around a glob() and Netscape problem; the local glob() hacker may
want to read the commentary if he wants another project.

Be so specific about the exact details of a PORT command error, that we
strike fear into the hearts of attackers (naw, I bet not...)

bitch if attacker tries to make PORT values overflow each other (they cannot anyways, but let him know we are onto him)

default to violating the RFC wrt the PORT command. Use -P to conform to the
RFC and possibly open up non-OpenBSD boxes in a trust relationship on your
network to possible ftp bounce attacks...

tabify

setproctitle less

Fix for the shift-reduce conflict, contributed by dholland@hcs.harvard.edu,
who is porting the OpenBSD ftpd to (of all things) Linux.

ftpd now eventually times out if a ftp client does:
pasv
list
and then crashes.
The timeout should only apply the the accept(), so that transfers can
take as long as necessary to complete.
Thanks to Theo for moving toolong() to extern.h so that it can be used
in ftpd.c as well as in ftpcmd.y.