[15547] in bugtraq
Re: ftpd: the advisory version
daemon@ATHENA.MIT.EDU (Kragen Sitaker)
Thu Jun 29 02:41:48 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.GSO.4.21.0006290142200.20336-100000@kirk.dnaco.net>
Date: Thu, 29 Jun 2000 01:45:51 -0400
Reply-To: Kragen Sitaker <kragen@POBOX.COM>
From: Kragen Sitaker <kragen@POBOX.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Someone writes:
> [Dan Harkless wrote:]
> > len should be a size_t (which is typedef'd to be some kind of unsigned
> > int), which would avoid the problem (without having to mess with
> > explicitly unsigned chars, which will cause warnings on platforms where
> > chars are signed, for one thing).
>
> suppose domain[0] == '\x80', then if domain is `signed char' then
> len is -128, and if it's casted to unsigned int when calling
> strncpy can be 2^(sizeof(int)*8-1)-1, so there you go :)
I was going to reply to Dan's post and say the same thing, but then I
realized that he didn't mean making len size_t or otherwise unsigned
would make the code handle >127-char strings; he meant that it would
return here:
if (len >= 64)
return;
And he's right. Making len be a size_t will prevent this bug from
becoming a buffer overflow. ;)
--
<kragen@pobox.com> Kragen Sitaker <http://www.pobox.com/~kragen/>
The Internet stock bubble didn't burst on 1999-11-08. Hurrah!
<URL:http://www.pobox.com/~kragen/bubble.html>
The power didn't go out on 2000-01-01 either. :)
