[15562] in bugtraq
Re: ftpd: the advisory version
daemon@ATHENA.MIT.EDU (Kasatenko Ivan Alex.)
Thu Jun 29 16:01:13 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <20000629115521.A18711@rnc.ru>
Date: Thu, 29 Jun 2000 11:55:21 +0400
Reply-To: "Kasatenko Ivan Alex." <admin@RNC.RU>
From: "Kasatenko Ivan Alex." <admin@RNC.RU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000628225519.A28675@nb.in-berlin.de>; from
scut@NB.IN-BERLIN.DE on Wed, Jun 28, 2000 at 10:55:19PM +0200
Hello!
On Wed, Jun 28, 2000 at 10:55:19PM +0200, Sebastian wrote:
> Hi.
>
> So this is still unsafe:
>
> void
> func_weak (char *domain)
> {
> unsigned char buff[2000];
> size_t len = domain[0];
>
> strncpy (&buff[0], &domain[1], len);
> buff[1999] = '\x00';
> }
>
It *is* safe, as far as the char type is concerned.
And len cannot fall below zero and cannot grow above
255. (0 <= char <= 255, on most platforms)
The size of buff is much more than 255. So this code
is safe, in my opinion.
The problem may reveal itself only on computers where
char type is signed by default.
*wave*,
John <skywriter@rnc.ru>
