lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 7 Mar 2010 17:57:42 +0100 From: Patrick Lamaiziere <patfbsd@...enulle.org> To: full-disclosure@...ts.grok.org.uk Subject: Re: FreeBSD and OpenBSD ftpd bug (not exploitable?) Le Fri, 05 Mar 2010 16:19:12 +0100, Kingcope <kcope2@...glemail.com> a écrit : > FreeBSD ftpd globbing bug - null pointer dereference ? > > Affected FreeBSD Releases > +-+-+-+-+-+-+-+-+-+ > FreeBSD 8.0, 6.3 and 4.9 > > Affected OpenBSD Releases > +-+-+-+-+-+-+-+-+-+ > OpenBSD 4.6 > > Could someone please shed some light into why glob doesn't fail but > gives a zeroed out structure back? according to glob(3) (on FreeBSD) "gl_pathv : contains a pointer to a NULL-terminated list of matched pathnames. However, if gl_pathc is zero, the contents of gl_pathv are undefined." In your test program, glob returns 0 but with gl_pathc == 0 so it segfaults. ftpd should check if gl_pathc > 0. Good catch! Best regards. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists