Home | Privacy Statement | About | Contact Us | Add a list! [geocrawler.com - the knowledge archive] [Image] [LOGIN] [REGISTER] [Image] [Themes.org] Archive [Image] Mailing Lists [Image] 2000 (1248 msgs) [Linux.com] [Image] OpenBSD [Image] 1999 (813 msgs) [VA Linux Systems] [Image] bugs - OpenBSD Bugs [Image] 1998 (862 msgs) [Image] 1997 (750 msgs) [Image] 1996 (81 msgs) Print | Monitor This List | Reply To Author Message: 4767599 FROM: Jun-ichiro itojun Hagino DATE: 12/04/2000 02:24:13 SUBJECT: RE: Remote hole in ftpd that can lead to root compromise >That is not the fix as MAXPATHLEN is not used to determine the length of >npath, sizeof(npath) is. does it look sufficiently careful? itojun Index: cmds.c =================================================================== RCS file: /cvsroot/basesrc/libexec/ftpd/cmds.c,v retrieving revision 1.8 diff -u -r1.8 cmds.c --- cmds.c 2000/11/16 13:15:13 1.8 +++ cmds.c 2000/12/04 10:23:48 @@ -787,14 +787,20 @@ static void replydirname(const char *name, const char *message) { + char *p, *ep; char npath[MAXPATHLEN]; - int i; - for (i = 0; *name != '\0' && i < sizeof(npath) - 1; i++, name++) { - npath[i] = *name; - if (*name == '"') - npath[++i] = '"'; + p = npath; + ep = &npath[sizeof(npath) - 1]; + while (*name) { + if (*name == '"' && ep - p >= 2) { + *p++ = *name++; + *p++ = '"'; + } else if (ep - p >= 1) + *p++ = *name++; + else + break; } - npath[i] = '\0'; + *p = '\0'; reply(257, "\"%s\" %s", npath, message); } [Image] By viewing these pages, you agree to the Legal Terms of Service