[15564] in bugtraq
Re: ftpd: the advisory version
daemon@ATHENA.MIT.EDU (Sebastian)
Fri Jun 30 16:32:18 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000629210209.A31655@nb.in-berlin.de>
Date: Thu, 29 Jun 2000 21:02:09 +0200
Reply-To: Sebastian <scut@NB.IN-BERLIN.DE>
From: Sebastian <scut@NB.IN-BERLIN.DE>
X-To: "Kasatenko Ivan Alex." <admin@RNC.RU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000629115521.A18711@rnc.ru>; from admin@RNC.RU on Thu, Jun 29,
2000 at 11:55:21AM +0400
> Hello!
Hi.
> > So this is still unsafe:
> > void
> > func_weak (char *domain)
> > {
> > unsigned char buff[2000];
> > size_t len = domain[0];
> >
> > strncpy (&buff[0], &domain[1], len);
> > buff[1999] = '\x00';
> > }
> >
> It *is* safe, as far as the char type is concerned.
> And len cannot fall below zero and cannot grow above
> 255. (0 <= char <= 255, on most platforms)
> The size of buff is much more than 255. So this code
> is safe, in my opinion.
Welcome in the thinking of programmers who fall for this type of bugs. It's
not a shame, it's easy to oversee, but yes, it is UNSAFE.
Example:
---[footest.c]---
#include <stdio.h>
#include <string.h>
int
main (int argc, char *argv[])
{
int i;
size_t len;
char source[300];
char buff[300];
char foo = '\x80';
for (i = 0 ; i < sizeof (source) ; ++i)
source[i] = '-';
source[sizeof (source) - 1] = '\x00';
len = foo;
strncpy (buff, source, len);
for (i = 0 ; buff[i] == '-' ; ++i)
;
printf ("%d\n", i);
}
---[end]---
gives:
Breakpoint 2, main (argc=1, argv=0xbffffd24) at footest.c:20
20 len = foo;
(gdb) n
21 strncpy (buff, source, len);
(gdb) display len
1: len = 4294967168
(gdb) n
Program received signal SIGSEGV, Segmentation fault.
0x40054949 in strncpy ()
(gdb)
For an unknown reason to me the strncpy segfaults for such a long len
parameter, although the source buffer is terminated, but it demonstrates
that very well len can reach huge values.
> The problem may reveal itself only on computers where
> char type is signed by default.
Which it is on all platforms I know. The compiler assumes that all simple
C types are signed except if explicitly given a type modifier such as
unsigned.
> *wave*,
> John <skywriter@rnc.ru>
ciao,
scut
--
- scut@nb.in-berlin.de - http://nb.in-berlin.de/scut/ --- you don't need a --
-- lot of people to be great, you need a few great to be the best ------------
http://3261000594/scut/pgp - 5453 AC95 1E02 FDA7 50D2 A42D 427E 6DEF 745A 8E07
-- data in VK/USA Mayfly experienced, awaiting transfer location, hi echelon -
