Bugtraq mailing list archives
Re: ftpd: the advisory version
From: huuskone () CC HELSINKI FI (Taneli Huuskonen)
Date: Sat, 1 Jul 2000 10:41:20 +0300
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sebastian <scut () NB IN-BERLIN DE> wrote: [...]
For an unknown reason to me the strncpy segfaults for such a long len parameter, although the source buffer is terminated, but it demonstrates that very well len can reach huge values.
On all platforms I know, strncpy pads the destination buffer with nulls if the string is too short to start with. For instance, RTFM'ing on Red Hat 6.2: In the case where the length of src is less than that of n, the remainder of dest will be padded with nulls. The segfault is caused by strncpy trying to fill four megabytes with nulls. BTW, it's this behaviour of strncpy that once stopped me from writing an exploit for a similar bug in a programme called playmidi. It failed to check if a length parameter read from a file was negative, and would've blithely overflowed a buffer, except that it kept adding nulls to the end of the copied string till it segfaulted. Taneli Huuskonen -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQA/AwUBOV2gkl+t0CYLfLaVEQJhywCfcUWWAQWDjkcUYf2P4fMPQkUc91kAoISK noGDjd98BeM2X+7F+hEyI5tC =3wqN -----END PGP SIGNATURE----- -- I don't | All messages will be PGP signed, | Fight for your right to speak for | encrypted mail preferred. Keys: | use sealed envelopes. the Uni. | http://www.helsinki.fi/~huuskone/ | http://www.gilc.org/
Current thread:
- Re: ftpd: the advisory version, (continued)
- Re: ftpd: the advisory version D. J. Bernstein (Jul 06)
- Re: ftpd: the advisory version monti (Jul 07)
- Re: ftpd: the advisory version Mikael Olsson (Jul 07)
- Re: ftpd: the advisory version David Maxwell (Jul 07)
- Re: ftpd: the advisory version D. J. Bernstein (Jul 10)
- Re: ftpd: the advisory version Richard Rager (Jul 11)
- Infosec.20000712.worldclient.2.1 Rikard Carlsson (Jul 12)
- ANNOUNCE Apache::ASP v1.95 - Security Hole Fixed J C (Jul 10)
- Novell Border Manger - Anyone can pose as an authenticated user Coward, Anonymous (Jul 07)