[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Remote hole in ftpd that can lead to root compromise

To: John Wright <john@dryfish.org>
Subject: Re: Remote hole in ftpd that can lead to root compromise
From: Jun-ichiro itojun Hagino <itojun@iijlab.net>
Date: Mon, 04 Dec 2000 19:24:13 +0900
Cc: Kristian Vlaardingerbroek <kris@obit.nl>, bugs@openbsd.org


>That is not the fix as MAXPATHLEN is not used to determine the length of
>npath, sizeof(npath) is.

	does it look sufficiently careful?

itojun


Index: cmds.c
===================================================================
RCS file: /cvsroot/basesrc/libexec/ftpd/cmds.c,v
retrieving revision 1.8
diff -u -r1.8 cmds.c
--- cmds.c	2000/11/16 13:15:13	1.8
+++ cmds.c	2000/12/04 10:23:48
@@ -787,14 +787,20 @@
 static void
 replydirname(const char *name, const char *message)
 {
+	char *p, *ep;
 	char npath[MAXPATHLEN];
-	int i;
 
-	for (i = 0; *name != '\0' && i < sizeof(npath) - 1; i++, name++) {
-		npath[i] = *name;
-		if (*name == '"')
-			npath[++i] = '"';
+	p = npath;
+	ep = &npath[sizeof(npath) - 1];
+	while (*name) {
+		if (*name == '"' && ep - p >= 2) {
+			*p++ = *name++;
+			*p++ = '"';
+		} else if (ep - p >= 1)
+			*p++ = *name++;
+		else
+			break;
 	}
-	npath[i] = '\0';
+	*p = '\0';
 	reply(257, "\"%s\" %s", npath, message);
 }

Follow-Ups:
- Re: Remote hole in ftpd that can lead to root compromise
  - From: itojun@iijlab.net

References:
- Re: Remote hole in ftpd that can lead to root compromise
  - From: John Wright <john@dryfish.org>

Prev by Date: Re: Remote hole in ftpd that can lead to root compromise
Next by Date: Re: Remote hole in ftpd that can lead to root compromise
Prev by thread: Re: Remote hole in ftpd that can lead to root compromise
Next by thread: Re: Remote hole in ftpd that can lead to root compromise
Index(es):
- Date
- Thread