[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Re: ProFTPD
From: Daniel Jacobowitz <drow () FALSE ! ORG>
Date: 1999-08-31 20:48:18
[Download RAW message or body]
On Sun, Aug 29, 1999 at 11:27:48AM -0300, dumped wrote:
> Here goes the fix.
>
>
> dumped
> Sekure SDI
Or not.
> @@ -181,7 +186,7 @@
>
> /* otherwise everthing is good */
> p = mod_privdata_alloc(cmd,"stor_filename",strlen(dir)+1);
> - strcpy(p->value.str_val,dir);
> + strncpy(p->value.str_val, dir, strlen(p->value.str_val));
Notice p was returned from a mod_privdata_alloc which is more than big
enough. Not to mention, as someone pointed out, that strlen() can't
possibly be what you meant.
Nic's patch also did not fix the problem, here. Attached is one that
did.
There's a couple other places in ProFTPd which strike me as, if not
insecure, at least insufficiently paranoid; I'll pass along a patch for
those to proftpd-l later.
Dan
/--------------------------------\ /--------------------------------\
| Daniel Jacobowitz |__| SCS Class of 2002 |
| Debian GNU/Linux Developer __ Carnegie Mellon University |
| dan@debian.org | | dmj+@andrew.cmu.edu |
\--------------------------------/ \--------------------------------/
--- ../../orig/proftpd-1.2.0pre4/src/support.c Thu Mar 4 19:29:21 1999
+++ support.c Tue Aug 31 14:52:03 1999
@@ -582,7 +582,7 @@ char *sreplace(pool *p, char *s, ...)
char **mptr,**rptr;
char *marr[33],*rarr[33];
char buf[1024];
- int mlen = 0,rlen = 0;
+ int mlen = 0,rlen = 0, done = 0;
cp = buf;
@@ -600,12 +600,16 @@ char *sreplace(pool *p, char *s, ...)
va_end(args);
- while(*src) {
+ while(*src && !done) {
for(mptr = marr, rptr = rarr; *mptr; mptr++, rptr++) {
mlen = strlen(*mptr);
rlen = strlen(*rptr);
if(strncmp(src,*mptr,mlen) == 0) {
+ if(cp + rlen > buf + 1023) {
+ done = 1;
+ break;
+ }
strcpy(cp,*rptr);
cp += rlen;
src += mlen;
@@ -613,8 +617,11 @@ char *sreplace(pool *p, char *s, ...)
}
}
- if(!*mptr)
+ if(!*mptr) {
+ if(cp > buf + 1022)
+ break;
*cp++ = *src++;
+ }
}
*cp = '\0';
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic