Bugtraq mailing list archives

Re: Wu-ftpd 2.6.1(1)

From: Chris Evans <chris () SCARY BEASTS ORG>
Date: Mon, 2 Oct 2000 23:57:57 +0100

[I wrote erroneously]

-----Original Message-----
quote %s%s%s%s%s%s%s%s%s%s
500 'QUOTE %s%s%s%s%s%s%s%s%s%s': command not understood.


D'oh, of course the FTP client quote command is not an FTP protocol
command.

In case anyone cares, I isolated the _client_ bug which started this whole
thread.

In ftp/cmds.c: quote1()
...
        if (command(buf) == PRELIM) {
                while (getreply(0) == PRELIM);
        }
...

The command() call is a varargs and the first argument is in fact
eventually passed as a format string to vsprintf().

It has been fixed in some but not all codebases derived from bsd-ftp. For
example it is fixed in Linux netkit-0.17-pre20000412;
...
        if (command("%s", buf) == PRELIM) {
                while (getreply(0) == PRELIM);
        }
...


But all this is highly uninteresting because the segfault occurs in
response to what a user types in at the ftp> prompt, NOT in response to
anything a malicious server might be sending out.

Cheers
Chris

Current thread:

Wu-ftpd 2.6.1(1) Javor Ninov (Oct 02)
- Re: Wu-ftpd 2.6.1(1) Chris Evans (Oct 02)
- <Possible follow-ups>
- Re: Wu-ftpd 2.6.1(1) Chris Evans (Oct 02)