[<prev] [next>] [day] [month] [year] [list]
From: pi3ki31ny at wp.pl (Adam Zabrocki)
Subject: DoS in PureFTPd - continue.
DoS in PureFTPd - continue.
After carefully read the source PureFTPd and talk with
autor PureFTPd i must apologize for false alarm about DoS in
PureFTPd, becouse the messy code will never be executed. Looked
once more for source - function displayrate():
"in file src/ftpd.c"
static void displayrate(const char *word, off_t size,
const double started,
const char * const name, int up)
{
...
...
char *resolved_path;
...
...
resolved_path[sizeof_resolved_path - 1U] = 0;
if (realpath(name, resolved_path) == NULL) {
...
...
if (resolved_path[sizeof_resolved_path - 1U] != 0) {
for (;;) {
*resolved_path++ = 0;
}
}
...
...
}
After do loop for() PureFTPd exec is function realpath() (in
file src/bsd-realpath.c function bsd_realpath()). Looked for her
carefully:
"src/bsd_realpath.c"
char *bsd_realpath(const char *path, char *resolved)
{
char wbuf[MAXPATHLEN + 1U];
...
...
if (strlen(resolved) + strlen(wbuf) + (size_t) needslash +
(size_t) 1U > sizeof_resolved) {
errno = ENAMETOOLONG;
goto err1;
}
...
...
(void) strcat(resolved, wbuf); /* flawfinder: ignore -
safe, see above */
...
...
}
Before do strcat() and write to specific memory string (to do
messy code that memory must be writed) function check the len
and when he was longer then sizeof_resolved (sizeof_resolved is
MAXPATHLEN) then function return ENAMETOOLONG. It indemnifies
before DoS.
Regards Adam Zabrocki (pi3).
-------------------------------------------------------
Lenin wci?? ?ywy? http://film.wp.pl/p/film.html?id=8502
Powered by blists - more mailing lists