|> ---------------------------- |> wu-ftpd 2.5, VR and BeroFTPD |> ---------------------------- *** ftpd.c Sun Jun 6 15:20:21 1999 --- ftpd_patched.c Sun Jun 6 15:15:03 1999 *************** *** 1245,1251 **** /* append the dir part with a leading / unless at root */ if( !(mapped_path[0] == '/' && mapped_path[1] == '\0') ) strcat( mapped_path, "/" ); ! strcat( mapped_path, dir ); } int --- 1245,1254 ---- /* append the dir part with a leading / unless at root */ if( !(mapped_path[0] == '/' && mapped_path[1] == '\0') ) strcat( mapped_path, "/" ); ! if ( strlen(mapped_path) + strlen (dir) < 4095 ) ! strcat( mapped_path, dir ); ! else ! syslog(LOG_ERR, "FTP mapped_path attack "); } int This patch has a serious flaw - like making the wolf your shepherd: the hard coded "4095" buffer size. See line 1200: char mapped_path[ MAXPATHLEN ] = "/"; For example, on this here machine running SunOS 5.6, MAXPATHLEN is 1024. Use "sizeof(mapped_path)" instead. (BTW, your diff contains DOS style "cr/lf" sequences, so anyone willing to apply it should pipe it into "patch" via "dos2unix".) vb
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:59:16 PDT