Bugtraq mailing list archives

Re: ftpd: the advisory version

From: kragen () POBOX COM (Kragen Sitaker)
Date: Thu, 29 Jun 2000 01:45:51 -0400


Someone writes:

[Dan Harkless wrote:]

len should be a size_t (which is typedef'd to be some kind of unsigned
int), which would avoid the problem (without having to mess with
explicitly unsigned chars, which will cause warnings on platforms where
chars are signed, for one thing).


suppose domain[0] == '\x80', then if domain is `signed char' then
len is -128, and if it's casted to unsigned int when calling
strncpy can be 2^(sizeof(int)*8-1)-1, so there you go :)


I was going to reply to Dan's post and say the same thing, but then I
realized that he didn't mean making len size_t or otherwise unsigned
would make the code handle >127-char strings; he meant that it would
return here:

        if (len >= 64)
                return;

And he's right.  Making len be a size_t will prevent this bug from
becoming a buffer overflow.  ;)

--
<kragen () pobox com>       Kragen Sitaker     <http://www.pobox.com/~kragen/>
The Internet stock bubble didn't burst on 1999-11-08.  Hurrah!
<URL:http://www.pobox.com/~kragen/bubble.html>
The power didn't go out on 2000-01-01 either.  :)

Current thread:

Re: ftpd: the advisory version, (continued)
- - Re: ftpd: the advisory version Teodor Cimpoesu (Jun 28)
  - Re: ftpd: the advisory version Sebastian (Jun 28)
    - Re: ftpd: the advisory version Kasatenko Ivan Alex. (Jun 29)
    - Re: ftpd: the advisory version Barney Wolff (Jun 29)
    - Re: ftpd: the advisory version Sebastian (Jun 29)
    - (forw) Re: Netscape ftp Server (fwd) Elias Levy (Jun 29)
  - Re: ftpd: the advisory version Juergen P. Meier (Jun 30)
  - SecureXpert Advisory [SX-20000620-1] SecureXpert DIRECT Sender (Jun 30)
  - SecureXpert Advisory [SX-20000620-3] SecureXpert DIRECT Sender (Jun 30)
- Re: ftpd: the advisory version Roger Espel Llima (Jun 28)
- Re: ftpd: the advisory version Kragen Sitaker (Jun 28)