Description of problem: See: http://www.exploit-db.com/exploits/17806/ Account name as shown there is too long for our ftp, but a name longer than 128 chars should do to reproduce. The problem is in cmds.c account(): 1840 strncat(buf, *argv, sizeof(buf)-strlen(buf)); 1841 buf[sizeof(buf)-1] = 0; strncat always writes terminating null, so this should say sizeof(buf)-strlen(buf)-1. Line 1841 should be redundant. So this is one byte overflow with '\0', triggered by (trusted) user input, caught by fortify source.