[15565] in bugtraq
Re: ftpd: the advisory version
daemon@ATHENA.MIT.EDU (Barney Wolff)
Fri Jun 30 16:53:06 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-Id: <200006291853.OAA97406@pit.databus.com>
Date: Thu, 29 Jun 2000 14:53:13 -0400
Reply-To: Barney Wolff <barney@PIT.DATABUS.COM>
From: Barney Wolff <barney@PIT.DATABUS.COM>
X-To: "Kasatenko Ivan Alex." <admin@RNC.RU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000629115521.A18711@rnc.ru> from "Kasatenko Ivan Alex." at
"Jun 29, 2000 11:55:21 am"
This is incorrect. Solaris cc will make len very large, if the high bit
of domain[0] is set. (Tested on Solaris 2.6) So, it's safe if char is
unsigned, unsafe if char is signed.
Barney Wolff
Kasatenko Ivan Alex. sent:
> > void
> > func_weak (char *domain)
> > {
> > unsigned char buff[2000];
> > size_t len = domain[0];
> >
> > strncpy (&buff[0], &domain[1], len);
> > buff[1999] = '\x00';
> > }
> >
>
> It *is* safe, as far as the char type is concerned.
> And len cannot fall below zero and cannot grow above
> 255. (0 <= char <= 255, on most platforms)
> The size of buff is much more than 255. So this code
> is safe, in my opinion.
>
> The problem may reveal itself only on computers where
> char type is signed by default.
