Bugtraq mailing list archives

Re: ftpd: the advisory version

From: teo () DIGIRO NET (Teodor Cimpoesu)
Date: Wed, 28 Jun 2000 23:46:34 +0300


Hi Dan!

void
func_proper (unsigned char *domain)
{
    int             len = domain[0];
    unsigned char   buff[64];


    if (len >= 64)
            return;

    strncpy (buff, &domain[1], len);
    buff[63] = '\x00';
}


Uh, no, the strncpy() prototype is:

    char *strncpy(char *dst, const char *src, size_t n);

len should be a size_t (which is typedef'd to be some kind of unsigned int),
which would avoid the problem (without having to mess with explicitly
unsigned chars, which will cause warnings on platforms where chars are
signed, for one thing).


suppose domain[0] == '\x80', then if domain is `signed char' then
len is -128, and if it's casted to unsigned int when calling
strncpy can be 2^(sizeof(int)*8-1)-1, so there you go :)

-- teodor

Current thread:

Re: ftpd: the advisory version, (continued)
- Re: ftpd: the advisory version Jim Knoble (Jun 26)
  - Re: ftpd: the advisory version Olaf Kirch (Jun 27)
    - Re: ftpd: the advisory version Mike Eldridge (Jun 29)
- Linux capability bounding set weakness Patrick Reynolds (Jun 26)
  - Re: Linux capability bounding set weakness Paul Wouters (Jun 27)
  - Re: Linux capability bounding set weakness Matthew Kirkwood (Jun 27)
  - Improved ARP sniffer Paul Starzetz (Jun 27)
- [suse-security-announce] SuSE Security Announcement: kernel-2.2.x (fwd) Daniel T. Chen (Jun 27)
- Re: ftpd: the advisory version Steven M. Bellovin (Jun 26)
- Re: ftpd: the advisory version Dan Harkless (Jun 27)
  - Re: ftpd: the advisory version Teodor Cimpoesu (Jun 28)
  - Re: ftpd: the advisory version Sebastian (Jun 28)
    - Re: ftpd: the advisory version Kasatenko Ivan Alex. (Jun 29)
    - Re: ftpd: the advisory version Barney Wolff (Jun 29)
    - Re: ftpd: the advisory version Sebastian (Jun 29)
    - (forw) Re: Netscape ftp Server (fwd) Elias Levy (Jun 29)
  - Re: ftpd: the advisory version Juergen P. Meier (Jun 30)
  - SecureXpert Advisory [SX-20000620-1] SecureXpert DIRECT Sender (Jun 30)
  - SecureXpert Advisory [SX-20000620-3] SecureXpert DIRECT Sender (Jun 30)
- Re: ftpd: the advisory version Roger Espel Llima (Jun 28)
- Re: ftpd: the advisory version Kragen Sitaker (Jun 28)