Netatalk · rdmark · Apr 12, 2026
diff --git a/fuse/fuse_internal.h b/fuse/fuse_internal.h
@@ -6,8 +6,7 @@
 struct fuse_client {
     char incoming_string[AFP_CLIENT_INCOMING_BUF];
     int incoming_size;
-    /* char client_string[sizeof(struct afp_server_response) + MAX_CLIENT_RESPONSE]; */
-    char client_string[1000 + MAX_CLIENT_RESPONSE];
+    char client_string[MAX_CLIENT_RESPONSE];
     int fd;
     struct fuse_client *next;
 };

diff --git a/lib/lowlevel.c b/lib/lowlevel.c
@@ -395,6 +395,13 @@
 }
 
 
+/* FIXME: chunked reads are not implemented. The original intent was to loop,
+ * issuing rx_quantum-sized requests until all bytes were read (see the #if 0
+ * bytesleft block below). Currently a single afp_read/afp_readext call is
+ * issued for the full size, which means when size > rx_quantum the server is
+ * asked for more data than buffer.maxsize can hold. Either restore the loop or
+ * remove the rx_quantum cap on buffer.maxsize and document that chunking is
+ * delegated to the AFP layer. */
 int ll_read(struct afp_volume * volume,
             char *buf, size_t size, off_t offset,
             struct afp_file_info *fp, int *eof)

diff --git a/lib/midlevel.c b/lib/midlevel.c
@@ -416,7 +416,6 @@ int ml_read(struct afp_volume * volume, const char *path,
             struct afp_file_info *fp, int *eof)
 {
     int ret = 0;
-    //unsigned int bufsize=min(volume->server->rx_quantum,size);
     char converted_path[AFP_MAX_PATH];
     size_t amount_copied = 0;
     *eof = 0;

diff --git a/lib/proto_directory.c b/lib/proto_directory.c
@@ -273,8 +273,18 @@
     } __attribute__((__packed__)) * reply = (void *) buf;
     const ext2_reply_entry *entry;
     char *p = buf + sizeof(*reply);
+    /* FIXME: max was stubbed out and the bounds check was never implemented.
+     * The loop advances p by entry->size (uint16_t, server-supplied) with no
+     * validation, so a malicious or buggy server can walk p past buf+size.
+     * Per the spec, ActualCount (here: reqcount) bounds the iteration, but
+     * each entry->size must also be validated:
+     *   1. p + sizeof(*entry) <= max  — before casting p to ext2_reply_entry*
+     *   2. ntohs(entry->size) >= sizeof(*entry)  — prevent stall/underflow
+     *   3. p + ntohs(entry->size) <= max  — before advancing p
+     * Restore 'char *max = buf + size' and add these three guards inside the
+     * loop, breaking out (not returning an error) on violation per spec note:
+     * "enumerate until kFPObjectNotFound... filter out duplicates". */
     int i;
-    //char  *max=buf+size;
     struct afp_file_info * filebase = NULL, *filecur = NULL, *new_file = NULL,
                                                               **x = (struct afp_file_info **) other;