Bugtraq mailing list archives

Re: ... / wu-ftpd <=2.5 / ...

From: lundberg () VR NET (Gregory A Lundberg)
Date: Sun, 29 Aug 1999 01:30:05 -0400


On Wed, Aug 25, 1999 at 11:48:18AM +0200, Volker Borchert wrote:

|> ----------------------------
|> wu-ftpd 2.5, VR and BeroFTPD
|> ----------------------------

*** ftpd.c    Sun Jun  6 15:20:21 1999
--- ftpd_patched.c    Sun Jun  6 15:15:03 1999
***************
*** 1245,1251 ****
        /* append the dir part with a leading / unless at root */
        if( !(mapped_path[0] == '/' && mapped_path[1] == '\0') )
                strcat( mapped_path, "/" );
!       strcat( mapped_path, dir );
  }

  int
--- 1245,1254 ----
        /* append the dir part with a leading / unless at root */
        if( !(mapped_path[0] == '/' && mapped_path[1] == '\0') )
                strcat( mapped_path, "/" );
!       if ( strlen(mapped_path) + strlen (dir) < 4095 )
!               strcat( mapped_path, dir );
!       else
!         syslog(LOG_ERR, "FTP mapped_path attack ");
  }

  int

This patch has a serious flaw - like making the wolf your shepherd:
the hard coded "4095" buffer size. See line 1200:

      char mapped_path[ MAXPATHLEN ] = "/";

For example, on this here machine running SunOS 5.6, MAXPATHLEN is
1024. Use "sizeof(mapped_path)" instead.

(BTW, your diff contains DOS style "cr/lf" sequences, so anyone
 willing to apply it should pipe it into "patch" via "dos2unix".)

      vb


Which is WHY you should report bugs to the developers first.  We know
enough about the code to build a correct patch.  We'll probably even test
it against a couple machines before releasing it.  Heck, we might even fix
more than the narrow case you saw.

In this case the patch fixes the problem he _saw_ (but not the one he
missed), and ONLY on his Linux box (not on lots of other systems).  If he'd
have bothered to simply ask the developers of ANY of the packages he
discussed, he'd have gotten a review/correction of SOME of his patches.  He
didn't.  So his patches are wrong.  Such is the quality of _patches_ on
Bugtraq.  Let's face it people: if you take a patch from just anyone you
deserve what you get.

--

Gregory A Lundberg              Senior Partner, VRnet Company
1441 Elmdale Drive              lundberg () vr net
Kettering, OH 45409-1615 USA    1-800-809-2195

Current thread:

Re: ... / wu-ftpd <=2.5 / ... Volker Borchert (Aug 25)
- Dynamic DNS Jethro Tull (Aug 28)
- Re: ... / wu-ftpd <=2.5 / ... Gregory A Lundberg (Aug 28)