[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20031110172204.GB15853@c9x.org>
From: j at pureftpd.org (Jedi/Sector One)
Subject: DoS in PureFTPd
On Mon, Nov 10, 2003 at 04:35:06PM +0100, Adam Zabrocki wrote:
> Vulnerability function is displayrate(). There is simple
> overflow bug (DoS):
Killing one's own session is not a DoS.
const size_t sizeof_resolved_path = MAXPATHLEN + 1U;
resolved_path[sizeof_resolved_path - 1U] = 0;
> if (realpath(name, resolved_path) == NULL) {
> ...
> if (resolved_path[sizeof_resolved_path - 1U] != 0) {
This realpath() doesn't fill more than MAXPATHLEN, including the zero, we
even have an extra byte here. The code you are talking about is not supposed
to be ever reached.
> Function realpath() is write by autor PureFTP.
No.
/*
* Copyright (c) 1994
* The Regents of the University of California. All rights reserved.
*
* This code is derived from software contributed to Berkeley by
* Jan-Simon Pendry.
*
Zok.
--
__ /*- Frank DENIS (Jedi/Sector One) <j@...Networks.Com> -*\ __
\ '/ <a href="http://www.PureFTPd.Org/"> Secure FTP Server </a> \' /
\/ <a href="http://www.Jedi.Claranet.Fr/"> Misc. free software </a> \/
Powered by blists - more mailing lists