Date: Wed, 25 Aug 1999 11:48:18 +0200
From: Volker Borchert <bt@TEKNON.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Re: ... / wu-ftpd <=2.5 / ...
|> ----------------------------
|> wu-ftpd 2.5, VR and BeroFTPD
|> ----------------------------
*** ftpd.c Sun Jun 6 15:20:21 1999
--- ftpd_patched.c Sun Jun 6 15:15:03 1999
***************
*** 1245,1251 ****
/* append the dir part with a leading / unless at root */
if( !(mapped_path[0] == '/' && mapped_path[1] == '\0') )
strcat( mapped_path, "/" );
! strcat( mapped_path, dir );
}
int
--- 1245,1254 ----
/* append the dir part with a leading / unless at root */
if( !(mapped_path[0] == '/' && mapped_path[1] == '\0') )
strcat( mapped_path, "/" );
! if ( strlen(mapped_path) + strlen (dir) < 4095 )
! strcat( mapped_path, dir );
! else
! syslog(LOG_ERR, "FTP mapped_path attack ");
}
int
This patch has a serious flaw - like making the wolf your shepherd:
the hard coded "4095" buffer size. See line 1200:
char mapped_path[ MAXPATHLEN ] = "/";
For example, on this here machine running SunOS 5.6, MAXPATHLEN is
1024. Use "sizeof(mapped_path)" instead.
(BTW, your diff contains DOS style "cr/lf" sequences, so anyone
willing to apply it should pipe it into "patch" via "dos2unix".)
vb
