Bugtraq mailing list archives

Re: ... / wu-ftpd <=2.5 / ...

From: bt () TEKNON DE (Volker Borchert)
Date: Wed, 25 Aug 1999 11:48:18 +0200


|> ----------------------------
|> wu-ftpd 2.5, VR and BeroFTPD
|> ----------------------------

*** ftpd.c      Sun Jun  6 15:20:21 1999
--- ftpd_patched.c      Sun Jun  6 15:15:03 1999
***************
*** 1245,1251 ****
        /* append the dir part with a leading / unless at root */
        if( !(mapped_path[0] == '/' && mapped_path[1] == '\0') )
                strcat( mapped_path, "/" );
!       strcat( mapped_path, dir );
  }

  int
--- 1245,1254 ----
        /* append the dir part with a leading / unless at root */
        if( !(mapped_path[0] == '/' && mapped_path[1] == '\0') )
                strcat( mapped_path, "/" );
!       if ( strlen(mapped_path) + strlen (dir) < 4095 )
!               strcat( mapped_path, dir );
!       else
!         syslog(LOG_ERR, "FTP mapped_path attack ");
  }

  int

This patch has a serious flaw - like making the wolf your shepherd:
the hard coded "4095" buffer size. See line 1200:

        char mapped_path[ MAXPATHLEN ] = "/";

For example, on this here machine running SunOS 5.6, MAXPATHLEN is
1024. Use "sizeof(mapped_path)" instead.

(BTW, your diff contains DOS style "cr/lf" sequences, so anyone
 willing to apply it should pipe it into "patch" via "dos2unix".)

        vb

Current thread:

Re: ... / wu-ftpd <=2.5 / ... Volker Borchert (Aug 25)
- Dynamic DNS Jethro Tull (Aug 28)
- Re: ... / wu-ftpd <=2.5 / ... Gregory A Lundberg (Aug 28)