Date: Wed, 28 Nov 2001 18:45:53 +0900 (JST) From: Koga Youichirou <y-koga@jp.FreeBSD.org> To: ache@nagual.pp.ru Cc: freebsd-security@FreeBSD.ORG Subject: Re: wu-ftpd ? Message-ID: <20011128.184553.116411455.y-koga@jp.FreeBSD.org> In-Reply-To: <20011128.183012.26333334.y-koga@jp.FreeBSD.org> References: <20011128.122552.45455442.y-koga@jp.FreeBSD.org> <20011128084416.GA32507@nagual.pp.ru> <20011128.183012.26333334.y-koga@jp.FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> The patch I sent is included in RedHat's wu-ftpd source package. > There includes wu-ftpd-2.7.0-20010531.tar.bz2 in it and > the patch is for 2.7.0-20010531 (although it is named as > "wu-ftpd-2.6.1-sec.patch" ;). and diff about src/glob.c from 2.6.1 to 2.7.0-20010531 (w/o wu-ftpd-2.6.1-sec.patch): --- ../wu-ftpd-2.6.1/src/glob.c Sun Jul 2 03:17:39 2000 +++ src/glob.c Thu May 31 16:30:36 2001 @@ -1,5 +1,5 @@ /**************************************************************************** - Copyright (c) 1999,2000 WU-FTPD Development Group. + Copyright (c) 1999,2000,2001 WU-FTPD Development Group. All rights reserved. Portions Copyright (c) 1980, 1985, 1988, 1989, 1990, 1991, 1993, 1994 @@ -20,7 +20,7 @@ If you did not receive a copy of the license, it may be obtained online at http://www.wu-ftpd.org/license.html. - $Id: glob.c,v 1.14 2000/07/01 18:17:39 wuftpd Exp $ + $Id: glob.c,v 1.19 2001/05/30 12:59:07 wuftpd Exp $ ****************************************************************************/ /* @@ -41,6 +41,7 @@ #include <pwd.h> #include <errno.h> #include <stdio.h> +#include <stdlib.h> #include <string.h> #include "proto.h" @@ -48,6 +49,11 @@ #define QUOTE 0200 #define TRIM 0177 #define eq(a,b) (strcmp(a, b)==0) + +#ifndef NCARGS +#define NCARGS 20480 /* at least on SGI IRIX */ +#endif + #define GAVSIZ (NCARGS/6) #define isdir(d) ((d.st_mode & S_IFMT) == S_IFDIR) @@ -174,19 +180,21 @@ sort(); } +static int +argcmp(const void *p1, const void *p2) +{ + char *s1 = *(char **) p1; + char *s2 = *(char **) p2; + + return (strcmp(s1, s2)); +} + static void sort(void) { - register char **p1, **p2, *c; char **Gvp = &gargv[gargc]; - p1 = sortbas; - while (p1 < Gvp - 1) { - p2 = p1; - while (++p2 < Gvp) - if (strcmp(*p1, *p2) > 0) - c = *p1, *p1 = *p2, *p2 = c; - p1++; - } + if (!globerr) + qsort(sortbas, Gvp - sortbas, sizeof (*sortbas), argcmp); sortbas = Gvp; } @@ -292,12 +300,15 @@ static int execbrc(char *p, char *s) { char restbuf[BUFSIZ + 2]; + char *restbufend = &restbuf[sizeof(restbuf)]; register char *pe, *pm, *pl; int brclev = 0; char *lm, savec, *sgpathp; - for (lm = restbuf; *p != '{'; *lm++ = *p++) - continue; + for (lm = restbuf; *p != '{'; *lm++ = *p++) { + if (lm >= restbufend) + return (0); + } for (pe = ++p; *pe; pe++) switch (*pe) { @@ -339,6 +350,8 @@ doit: savec = *pm; *pm = 0; + if (lm + strlen(pl) + strlen(pe + 1) >= restbufend) + return (0); (void) strcpy(lm, pl); (void) strcat(restbuf, pe + 1); *pm = savec; @@ -538,8 +551,12 @@ { register size_t len = strlen(s1) + strlen(s2) + 1; + if (globerr) + return; if (len >= gnleft || gargc >= GAVSIZ - 1) globerr = "Arguments too long"; + else if (len > MAXPATHLEN) + globerr = "Pathname too long"; else { gargc++; gnleft -= len; @@ -620,6 +637,7 @@ { register char **av = av0; + if (av) while (*av) free(*av++); } @@ -627,7 +645,7 @@ char *strspl(register char *cp, register char *dp) { register char *ep = - (char *) malloc((unsigned) (strlen(cp) + strlen(dp) + 1)); + (char *) malloc((unsigned) (strlen(cp) + strlen(dp) + 1)); if (ep == (char *) 0) fatal("Out of memory"); @@ -652,6 +670,7 @@ cp++; return (cp); } + /* * Extract a home directory from the password file * The argument points to a buffer where the name of the -- Koga, Youichirou To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011128.184553.116411455.y-koga>