[15542] in bugtraq
Re: ftpd: the advisory version
daemon@ATHENA.MIT.EDU (Teodor Cimpoesu)
Thu Jun 29 01:13:04 2000
Mail-Followup-To: Teodor Cimpoesu <teo@digiro.net>, BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-ID: <20000628234634.A22896@digiro.net>
Date: Wed, 28 Jun 2000 23:46:34 +0300
Reply-To: teo@digiro.net
From: Teodor Cimpoesu <teo@digiro.net>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200006272242.PAA20500@dilvish.speed.net>; from
dan-bugtraq@DILVISH.SPEED.NET on Tue, Jun 27,
2000 at 03:41:59PM -0700
Hi Dan!
> > void
> > func_proper (unsigned char *domain)
> > {
> > int len = domain[0];
> > unsigned char buff[64];
> >
> >
> > if (len >= 64)
> > return;
> >
> > strncpy (buff, &domain[1], len);
> > buff[63] = '\x00';
> > }
>
> Uh, no, the strncpy() prototype is:
>
> char *strncpy(char *dst, const char *src, size_t n);
>
> len should be a size_t (which is typedef'd to be some kind of unsigned int),
> which would avoid the problem (without having to mess with explicitly
> unsigned chars, which will cause warnings on platforms where chars are
> signed, for one thing).
suppose domain[0] == '\x80', then if domain is `signed char' then
len is -128, and if it's casted to unsigned int when calling
strncpy can be 2^(sizeof(int)*8-1)-1, so there you go :)
-- teodor
