Bugtraq mailing list archives
Re: ftpd: the advisory version
From: scut () NB IN-BERLIN DE (Sebastian)
Date: Thu, 29 Jun 2000 21:02:09 +0200
Hello!
Hi.
So this is still unsafe:
void func_weak (char *domain) { unsigned char buff[2000]; size_t len = domain[0]; strncpy (&buff[0], &domain[1], len); buff[1999] = '\x00'; }
It *is* safe, as far as the char type is concerned. And len cannot fall below zero and cannot grow above 255. (0 <= char <= 255, on most platforms) The size of buff is much more than 255. So this code is safe, in my opinion.
Welcome in the thinking of programmers who fall for this type of bugs. It's not a shame, it's easy to oversee, but yes, it is UNSAFE. Example: ---[footest.c]--- #include <stdio.h> #include <string.h> int main (int argc, char *argv[]) { int i; size_t len; char source[300]; char buff[300]; char foo = '\x80'; for (i = 0 ; i < sizeof (source) ; ++i) source[i] = '-'; source[sizeof (source) - 1] = '\x00'; len = foo; strncpy (buff, source, len); for (i = 0 ; buff[i] == '-' ; ++i) ; printf ("%d\n", i); } ---[end]--- gives: Breakpoint 2, main (argc=1, argv=0xbffffd24) at footest.c:20 20 len = foo; (gdb) n 21 strncpy (buff, source, len); (gdb) display len 1: len = 4294967168 (gdb) n Program received signal SIGSEGV, Segmentation fault. 0x40054949 in strncpy () (gdb) For an unknown reason to me the strncpy segfaults for such a long len parameter, although the source buffer is terminated, but it demonstrates that very well len can reach huge values.
The problem may reveal itself only on computers where char type is signed by default.
Which it is on all platforms I know. The compiler assumes that all simple C types are signed except if explicitly given a type modifier such as unsigned.
*wave*, John <skywriter () rnc ru>
ciao, scut -- - scut () nb in-berlin de - http://nb.in-berlin.de/scut/ --- you don't need a -- -- lot of people to be great, you need a few great to be the best ------------ http://3261000594/scut/pgp - 5453 AC95 1E02 FDA7 50D2 A42D 427E 6DEF 745A 8E07 -- data in VK/USA Mayfly experienced, awaiting transfer location, hi echelon -
Current thread:
- Re: Linux capability bounding set weakness, (continued)
- Re: Linux capability bounding set weakness Paul Wouters (Jun 27)
- Re: Linux capability bounding set weakness Matthew Kirkwood (Jun 27)
- Improved ARP sniffer Paul Starzetz (Jun 27)
- [suse-security-announce] SuSE Security Announcement: kernel-2.2.x (fwd) Daniel T. Chen (Jun 27)
- Re: ftpd: the advisory version Steven M. Bellovin (Jun 26)
- Re: ftpd: the advisory version Dan Harkless (Jun 27)
- Re: ftpd: the advisory version Teodor Cimpoesu (Jun 28)
- Re: ftpd: the advisory version Sebastian (Jun 28)
- Re: ftpd: the advisory version Kasatenko Ivan Alex. (Jun 29)
- Re: ftpd: the advisory version Barney Wolff (Jun 29)
- Re: ftpd: the advisory version Sebastian (Jun 29)
- (forw) Re: Netscape ftp Server (fwd) Elias Levy (Jun 29)
- Re: ftpd: the advisory version Juergen P. Meier (Jun 30)
- SecureXpert Advisory [SX-20000620-1] SecureXpert DIRECT Sender (Jun 30)
- SecureXpert Advisory [SX-20000620-3] SecureXpert DIRECT Sender (Jun 30)
- Re: ftpd: the advisory version Roger Espel Llima (Jun 28)
- Re: ftpd: the advisory version Kragen Sitaker (Jun 28)