[prev in list] [next in list] [prev in thread] [next in thread]
List: krb5-bugs
Subject: [krbdev.mit.edu #5853] apparent uninit length in ftpd.c:reply()
From: "Tom Yu via RT" <rt-comment () krbdev ! mit ! edu>
Date: 2007-12-12 18:40:00
Message-ID: rt-5853-25712.13.6077435134391 () krbdev ! mit ! edu
[Download RAW message or body]
This is one of the Venustech AD-LAB alleged vulnerabilities.
CVE-2007-5894
http://bugs.gentoo.org/show_bug.cgi?id=199205
This is not a vulnerability, and only a stylistic bug. The alleged
vulnerability consists of reading an uninitialized variable, "length",
in the reply() function in src/appl/gssftp/ftpd/ftpd.c.
1878 /* Other auth types go here ... */
1879 if (length >= sizeof(in) / 4 * 3) {
1880 syslog(LOG_ERR, "input to radix_encode too long");
1881 fputs(in, stdout);
1882 } else if ((kerror = radix_encode(out, in, &length, 0))) {
1883 syslog(LOG_ERR, "Couldn't encode reply (%s)",
1884 radix_error(kerror));
1885 fputs(in,stdout);
The "length" variable is only uninitialized if "auth_type" is neither
the "KERBEROS_V4" nor "GSSAPI"; this condition cannot occur in the
unmodified source code. While the remote user can set the string in
"auth_type", this may only occur by way of the auth_data() function,
which will only set "auth_type" if it exactly matches one of the
aforementioned two strings.
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic