From 2adec33883476f625e83809e61784253e7bae07a Mon Sep 17 00:00:00 2001
From: Daniel Markstedt <daniel@mindani.net>
Date: Fri, 13 Mar 2026 19:08:28 +0100
Subject: [PATCH] CVE-2026-45698,CVE-2026-45699: afpd: fix stack buffer
 overflow in copydir() and deletedir()

Reported-by: Tsolmon Zorigoo (@ZTsolmon)
Signed-off-by: Daniel Markstedt <daniel@mindani.net>
Reviewed-by: Andy Lemin (@andylemin)
---
 etc/afpd/directory.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/etc/afpd/directory.c b/etc/afpd/directory.c
index 8e1a335d..22d4b801 100644
--- a/etc/afpd/directory.c
+++ b/etc/afpd/directory.c
@@ -165,7 +165,7 @@ static int deletedir(const struct vol *vol, int dirfd, char *dir)
 
     snprintf(path, MAXPATHLEN, "%s/", dir);
     len++;
-    remain = strlen(path) - len - 1;
+    remain = sizeof(path) - len - 1;
 
     while ((de = readdir(dp)) && err == AFP_OK) {
         /* skip this and previous directory */
@@ -231,10 +231,10 @@ static int copydir(struct vol *vol, struct dir *ddir, int dirfd, char *src,
     /* set things up to copy */
     snprintf(spath, MAXPATHLEN, "%s/", src);
     slen++;
-    srem = strlen(spath) - slen - 1;
+    srem = sizeof(spath) - slen - 1;
     snprintf(dpath, MAXPATHLEN, "%s/", dst);
     dlen++;
-    drem = strlen(dpath) - dlen - 1;
+    drem = sizeof(dpath) - dlen - 1;
     err = AFP_OK;
 
     while ((de = readdir(dp))) {