lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: 11 Nov 2003 14:58:21 -0000 From: Adam Zabrocki <pi3ki31ny@...pl> To: bugtraq@...urityfocus.com Subject: DoS in PureFTPd - continue. DoS in PureFTPd - continue. After carefully read the source PureFTPd and talk with autor PureFTPd i must apologize for false alarm about DoS in PureFTPd, becouse the messy code will never be executed. Looked once more for source - function displayrate(): "in file src/ftpd.c" static void displayrate(const char *word, off_t size, const double started, const char * const name, int up) { ... ... char *resolved_path; ... ... resolved_path[sizeof_resolved_path - 1U] = 0; if (realpath(name, resolved_path) == NULL) { ... ... if (resolved_path[sizeof_resolved_path - 1U] != 0) { for (;;) { *resolved_path++ = 0; } } ... ... } After do loop for() PureFTPd exec is function realpath() (in file src/bsd-realpath.c function bsd_realpath()). Looked for her carefully: "src/bsd_realpath.c" char *bsd_realpath(const char *path, char *resolved) { char wbuf[MAXPATHLEN + 1U]; ... ... if (strlen(resolved) + strlen(wbuf) + (size_t) needslash + (size_t) 1U > sizeof_resolved) { errno = ENAMETOOLONG; goto err1; } ... ... (void) strcat(resolved, wbuf); /* flawfinder: ignore - safe, see above */ ... ... } Before do strcat() and write to specific memory string (to do messy code that memory must be writed) function check the len and when he was longer then sizeof_resolved (sizeof_resolved is MAXPATHLEN) then function return ENAMETOOLONG. It indemnifies before DoS. Regards Adam Zabrocki (pi3).
Powered by blists - more mailing lists