This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

ftp.exe's bug found

From: saintlinu at null2root dot org
To: cygwin at cygwin dot com
Date: Mon, 19 Dec 2005 18:52:37 +0900
Subject: ftp.exe's bug found

Dear list
 
When I use ftp.exe in cygwin, connected to ftp server.
and I just typed 'site AAAA%8x%8x%8x' 
 
then I faced a suspicious messege on the ftp server's information box
like SITE AAAA 3212 2324 3241 414141 ...

ftp.exe has format strings bug. right?
 
I checked inetutils' source and I found
there is no function that check arguments' validation right or not
 
if you'll input a command like 'SITE AAAA%8x%8x%8x...%100c%n%200c%n'
then get a file,'ftp.exe.stackdump'.
 
please check this a little problem
 
Cheers 
 
Alex
 
included some info.
 
$ ls -la `which ftp.exe`
-rwxrwxrwx  1 saintlinu mkgroup-l-d 57344 Aug 20 03:10 /usr/bin/ftp.exe
 
$ md5sum `which ftp.exe`
27685810cf969652679572b156da6358 */usr/bin/ftp.exe
 
<snip>
int
#if defined(HAVE_STDARG_H) && defined(__STDC__) && __STDC__
command (const char *fmt, ...)
#else
command(va_alist)
va_dcl
#endif
{
 va_list ap;
#if !(defined(HAVE_STDARG_H) && defined(__STDC__) && __STDC__) 
 const char *fmt;
#endif
 int r;
 sig_t oldintr;
 abrtflag = 0;
 if (debug) {
  printf("---> ");
#if defined(HAVE_STDARG_H) && defined(__STDC__) && __STDC__
  va_start (ap, fmt);
#else
  va_start(ap);
  fmt = va_arg(ap, char *); 
#endif
  if (strncmp("PASS ", fmt, 5) == 0)
   printf("PASS XXXX");
  else 
   vfprintf(stdout, fmt, ap);
  va_end(ap);
  printf("\n");
  (void) fflush(stdout);
 } 
 if (cout == NULL) {
  warn("No control connection for command");
  code = -1;
  return (0);
 }
 oldintr = signal(SIGINT, cmdabort);
#if defined(HAVE_STDARG_H) && defined(__STDC__) && __STDC__ 
 va_start (ap, fmt);
#else
 va_start(ap);
 fmt = va_arg(ap, char *);
#endif
 vfprintf(cout, fmt, ap);
 va_end(ap);
 fprintf(cout, "\r\n");
 (void) fflush(cout);
 cpend = 1;
 r = getreply(!strcmp(fmt, "QUIT")); 
 if (abrtflag && oldintr != SIG_IGN)
  (*oldintr)(SIGINT);
 (void) signal(SIGINT, oldintr);
 return (r);
}

</snip>
-- 
Make Our Internet Secure With H4ck3rz 


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

Follow-Ups:
- Re: ftp.exe's bug found
  - From: Corinna Vinschen

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]