Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ftpd: the advisory version

From: huuskone () CC HELSINKI FI (Taneli Huuskonen)
Date: Sat, 1 Jul 2000 10:41:20 +0300

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sebastian <scut () NB IN-BERLIN DE> wrote:

[...]

For an unknown reason to me the strncpy segfaults for such a long len
parameter, although the source buffer is terminated, but it demonstrates
that very well len can reach huge values.


On all platforms I know, strncpy pads the destination buffer with nulls
if the string is too short to start with.  For instance, RTFM'ing on
Red Hat 6.2:

        In the case where the length of src is less than  that  of
        n, the remainder of dest will be padded with nulls.

The segfault is caused by strncpy trying to fill four megabytes with
nulls.

BTW, it's this behaviour of strncpy that once stopped me from writing an
exploit for a similar bug in a programme called playmidi.  It failed to
check if a length parameter read from a file was negative, and would've
blithely overflowed a buffer, except that it kept adding nulls to the
end of the copied string till it segfaulted.

Taneli Huuskonen

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQA/AwUBOV2gkl+t0CYLfLaVEQJhywCfcUWWAQWDjkcUYf2P4fMPQkUc91kAoISK
noGDjd98BeM2X+7F+hEyI5tC
=3wqN
-----END PGP SIGNATURE-----

--
I don't   | All messages will be PGP signed,  | Fight for your right to
speak for | encrypted mail preferred.  Keys:  | use sealed envelopes.
the Uni.  | http://www.helsinki.fi/~huuskone/ | http://www.gilc.org/
Previous By Date Next
Previous By Thread Next

Current thread: