[Full-Disclosure] DoS in PureFTPd
Jedi/Sector One
j at pureftpd.org
Mon Nov 10 17:22:42 GMT 2003
On Mon, Nov 10, 2003 at 04:35:06PM +0100, Adam Zabrocki wrote:
> Vulnerability function is displayrate(). There is simple
> overflow bug (DoS):
Killing one's own session is not a DoS.
const size_t sizeof_resolved_path = MAXPATHLEN + 1U;
resolved_path[sizeof_resolved_path - 1U] = 0;
> if (realpath(name, resolved_path) == NULL) {
> ...
> if (resolved_path[sizeof_resolved_path - 1U] != 0) {
This realpath() doesn't fill more than MAXPATHLEN, including the zero, we
even have an extra byte here. The code you are talking about is not supposed
to be ever reached.
> Function realpath() is write by autor PureFTP.
No.
/*
* Copyright (c) 1994
* The Regents of the University of California. All rights reserved.
*
* This code is derived from software contributed to Berkeley by
* Jan-Simon Pendry.
*
Zok.
--
__ /*- Frank DENIS (Jedi/Sector One) <j at 42-Networks.Com> -*\ __
\ '/ <a href="http://www.PureFTPd.Org/"> Secure FTP Server </a> \' /
\/ <a href="http://www.Jedi.Claranet.Fr/"> Misc. free software </a> \/
Full-Disclosure is hosted and sponsored by Secunia.