After carefully read the source PureFTPd and talk with autor PureFTPd i must apologize for false alarm about DoS in PureFTPd, becouse the messy code will never be executed. Looked once more for source - function displayrate():
Before do strcat() and write to specific memory string (to do messy code that memory must be writed) function check the len and when he was longer then sizeof_resolved (sizeof_resolved is MAXPATHLEN) then function return ENAMETOOLONG. It indemnifies before DoS.
DoS in PureFTPd - continue.
After carefully read the source PureFTPd and talk with autor PureFTPd i must apologize for false alarm about DoS in PureFTPd, becouse the messy code will never be executed. Looked once more for source - function displayrate():
"in file src/ftpd.c"
static void displayrate(const char *word, off_t size,
const double started,
const char * const name, int up)
{
...
...
char *resolved_path;
...
...
resolved_path[sizeof_resolved_path - 1U] = 0;
if (realpath(name, resolved_path) == NULL) {
...
...
if (resolved_path[sizeof_resolved_path - 1U] != 0) {
for (;;) {
*resolved_path++ = 0;
}
}
...
...
}
After do loop for() PureFTPd exec is function realpath() (in file src/bsd-realpath.c function bsd_realpath()). Looked for her carefully:
"src/bsd_realpath.c"
char *bsd_realpath(const char *path, char *resolved)
{
char wbuf[MAXPATHLEN + 1U];
...
...
if (strlen(resolved) + strlen(wbuf) + (size_t) needslash +
(size_t) 1U > sizeof_resolved) {
errno = ENAMETOOLONG;
goto err1;
}
...
...
(void) strcat(resolved, wbuf); /* flawfinder: ignore - safe, see above */
...
...
}
Before do strcat() and write to specific memory string (to do messy code that memory must be writed) function check the len and when he was longer then sizeof_resolved (sizeof_resolved is MAXPATHLEN) then function return ENAMETOOLONG. It indemnifies before DoS.
Regards Adam Zabrocki (pi3).
[ reply ]