Bugtraq mailing list archives
Re: Wu-ftpd 2.6.1(1)
From: Chris Evans <chris () SCARY BEASTS ORG>
Date: Mon, 2 Oct 2000 23:57:57 +0100
[I wrote erroneously]
-----Original Message----- quote %s%s%s%s%s%s%s%s%s%s 500 'QUOTE %s%s%s%s%s%s%s%s%s%s': command not understood.
D'oh, of course the FTP client quote command is not an FTP protocol command. In case anyone cares, I isolated the _client_ bug which started this whole thread. In ftp/cmds.c: quote1() ... if (command(buf) == PRELIM) { while (getreply(0) == PRELIM); } ... The command() call is a varargs and the first argument is in fact eventually passed as a format string to vsprintf(). It has been fixed in some but not all codebases derived from bsd-ftp. For example it is fixed in Linux netkit-0.17-pre20000412; ... if (command("%s", buf) == PRELIM) { while (getreply(0) == PRELIM); } ... But all this is highly uninteresting because the segfault occurs in response to what a user types in at the ftp> prompt, NOT in response to anything a malicious server might be sending out. Cheers Chris
Current thread:
- Wu-ftpd 2.6.1(1) Javor Ninov (Oct 02)
- Re: Wu-ftpd 2.6.1(1) Chris Evans (Oct 02)
- <Possible follow-ups>
- Re: Wu-ftpd 2.6.1(1) Chris Evans (Oct 02)