commit b2263c45b76e09cf07b7149fb84b85777c682047
from: Omar Polo <op@omarpolo.com>
date: Sun Jan 16 11:08:21 2022 UTC

fix loop for writes

don't write more than fetched.  The code wrote up to sizeof(buf), but
it may try to write more than the data sent, which is r (<= sizeof(buf)).

commit - 76521d264f0abeb4a3bb6c8e55d50b1332f766dc
commit + b2263c45b76e09cf07b7149fb84b85777c682047
blob - 3dcd0d0f68154efbef9420935efcd83bfc91320c
blob + 39f6ae2ca4f588e5ce2850fb6cf4fdf72c05cf47
--- kamiftp/ftp.c
+++ kamiftp/ftp.c
@@ -598,16 +598,15 @@ fetch_fid(int fid, int fd, const char *name)
 
 	p.max = st.length;
 	for (;;) {
-		size_t siz, off;
+		size_t off;
 		ssize_t nw;
 
 		r = do_read(fid, p.done, sizeof(buf), buf);
 		if (r == 0)
 			break;
 
-		siz = sizeof(buf);
-		for (off = 0; off < siz; off += nw)
-			if ((nw = write(fd, buf + off, siz - off)) == 0 ||
+		for (off = 0; off < r; off += nw)
+			if ((nw = write(fd, buf + off, r - off)) == 0 ||
 			    nw == -1)
 				err(1, "write");