Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ftpd: the advisory version

From: barney () PIT DATABUS COM (Barney Wolff)
Date: Thu, 29 Jun 2000 14:53:13 -0400

This is incorrect.  Solaris cc will make len very large, if the high bit
of domain[0] is set.  (Tested on Solaris 2.6)  So, it's safe if char is
unsigned, unsafe if char is signed.
Barney Wolff

Kasatenko Ivan Alex. sent:

void
func_weak (char *domain)
{
    unsigned char   buff[2000];
    size_t          len = domain[0];

    strncpy (&buff[0], &domain[1], len);
    buff[1999] = '\x00';
}



It *is* safe, as far as the char type is concerned.
And len cannot fall below zero and cannot grow above
255. (0 <= char <= 255, on most platforms)
The size of buff is much more than 255. So this code
is safe, in my opinion.

The problem may reveal itself only on computers where
char type is signed by default.
Previous By Date Next
Previous By Thread Next

Current thread: