Bugtraq mailing list archives

Re: ftpd: the advisory version

From: scut () NB IN-BERLIN DE (Sebastian)
Date: Thu, 29 Jun 2000 21:02:09 +0200

Hello!

Hi.

So this is still unsafe:

void
func_weak (char *domain)
{
    unsigned char   buff[2000];
    size_t          len = domain[0];

    strncpy (&buff[0], &domain[1], len);
    buff[1999] = '\x00';
}

It *is* safe, as far as the char type is concerned.
And len cannot fall below zero and cannot grow above
255. (0 <= char <= 255, on most platforms)
The size of buff is much more than 255. So this code
is safe, in my opinion.


Welcome in the thinking of programmers who fall for this type of bugs. It's
not a shame, it's easy to oversee, but yes, it is UNSAFE.

Example:
---[footest.c]---

#include <stdio.h>
#include <string.h>

int
main (int argc, char *argv[])
{
        int     i;
        size_t  len;
        char    source[300];
        char    buff[300];
        char    foo = '\x80';

        for (i = 0 ; i < sizeof (source) ; ++i)
                source[i] = '-';
        source[sizeof (source) - 1] = '\x00';

        len = foo;
        strncpy (buff, source, len);
        for (i = 0 ; buff[i] == '-' ; ++i)
                ;

        printf ("%d\n", i);
}
---[end]---

gives:
Breakpoint 2, main (argc=1, argv=0xbffffd24) at footest.c:20
20              len = foo;
(gdb) n
21              strncpy (buff, source, len);
(gdb) display len
1: len = 4294967168
(gdb) n

Program received signal SIGSEGV, Segmentation fault.
0x40054949 in strncpy ()
(gdb)

For an unknown reason to me the strncpy segfaults for such a long len
parameter, although the source buffer is terminated, but it demonstrates
that very well len can reach huge values.

The problem may reveal itself only on computers where
char type is signed by default.


Which it is on all platforms I know. The compiler assumes that all simple
C types are signed except if explicitly given a type modifier such as
unsigned.

*wave*,
      John <skywriter () rnc ru>


ciao,
scut

--
- scut () nb in-berlin de - http://nb.in-berlin.de/scut/ --- you don't need a --
-- lot of people to be great, you need a few great to be the best ------------
http://3261000594/scut/pgp - 5453 AC95 1E02 FDA7 50D2 A42D 427E 6DEF 745A 8E07
-- data in VK/USA Mayfly experienced, awaiting transfer location, hi echelon -

Current thread:

Re: Linux capability bounding set weakness, (continued)
- - Re: Linux capability bounding set weakness Paul Wouters (Jun 27)
  - Re: Linux capability bounding set weakness Matthew Kirkwood (Jun 27)
  - Improved ARP sniffer Paul Starzetz (Jun 27)
- [suse-security-announce] SuSE Security Announcement: kernel-2.2.x (fwd) Daniel T. Chen (Jun 27)
- Re: ftpd: the advisory version Steven M. Bellovin (Jun 26)
- Re: ftpd: the advisory version Dan Harkless (Jun 27)
  - Re: ftpd: the advisory version Teodor Cimpoesu (Jun 28)
  - Re: ftpd: the advisory version Sebastian (Jun 28)
    - Re: ftpd: the advisory version Kasatenko Ivan Alex. (Jun 29)
    - Re: ftpd: the advisory version Barney Wolff (Jun 29)
    - Re: ftpd: the advisory version Sebastian (Jun 29)
    - (forw) Re: Netscape ftp Server (fwd) Elias Levy (Jun 29)
  - Re: ftpd: the advisory version Juergen P. Meier (Jun 30)
  - SecureXpert Advisory [SX-20000620-1] SecureXpert DIRECT Sender (Jun 30)
  - SecureXpert Advisory [SX-20000620-3] SecureXpert DIRECT Sender (Jun 30)
- Re: ftpd: the advisory version Roger Espel Llima (Jun 28)
- Re: ftpd: the advisory version Kragen Sitaker (Jun 28)