[15609] in bugtraq
Re: ftpd: the advisory version
daemon@ATHENA.MIT.EDU (Taneli Huuskonen)
Sun Jul 2 16:14:36 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-Id: <200007010741.e617fKG23939@sirppi.helsinki.fi>
Date: Sat, 1 Jul 2000 10:41:20 +0300
Reply-To: Taneli Huuskonen <huuskone@CC.HELSINKI.FI>
From: Taneli Huuskonen <huuskone@CC.HELSINKI.FI>
X-To: Sebastian <scut@NB.IN-BERLIN.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000629210209.A31655@nb.in-berlin.de> from Sebastian at "Jun
29, 2000 09:02:09 pm"
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sebastian <scut@NB.IN-BERLIN.DE> wrote:
[...]
> For an unknown reason to me the strncpy segfaults for such a long len
> parameter, although the source buffer is terminated, but it demonstrates
> that very well len can reach huge values.
On all platforms I know, strncpy pads the destination buffer with nulls
if the string is too short to start with. For instance, RTFM'ing on
Red Hat 6.2:
In the case where the length of src is less than that of
n, the remainder of dest will be padded with nulls.
The segfault is caused by strncpy trying to fill four megabytes with
nulls.
BTW, it's this behaviour of strncpy that once stopped me from writing an
exploit for a similar bug in a programme called playmidi. It failed to
check if a length parameter read from a file was negative, and would've
blithely overflowed a buffer, except that it kept adding nulls to the
end of the copied string till it segfaulted.
Taneli Huuskonen
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv
iQA/AwUBOV2gkl+t0CYLfLaVEQJhywCfcUWWAQWDjkcUYf2P4fMPQkUc91kAoISK
noGDjd98BeM2X+7F+hEyI5tC
=3wqN
-----END PGP SIGNATURE-----
--
I don't | All messages will be PGP signed, | Fight for your right to
speak for | encrypted mail preferred. Keys: | use sealed envelopes.
the Uni. | http://www.helsinki.fi/~huuskone/ | http://www.gilc.org/
