[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug-inetutils] Buffer overflow on tftpd?
From: |
Ricardo Ribalda Delgado |
Subject: |
[bug-inetutils] Buffer overflow on tftpd? |
Date: |
Thu, 18 Jul 2019 14:34:41 +0200 |
Hi
I have compiled ftfpd with gcc 8.3 and Glibc 2.29. I use it with
xinetd 2.3.15. When I request the server an inexistent file, the
server dies with :
*** buffer overflow detected ***
After some debugging I figured out that the error is in nack(error) at:
strcpy (tp->th_msg, pe->e_msg);
For more that I see the code, I cannot find the overflow. buff has
enough space to fetch 15 bytes, but maybe I am too old for this kind
of bugs :)
This patch fixes the problem for me:
diff --git a/src/tftpd.c b/src/tftpd.c
index 56002a0..144012f 100644
--- a/src/tftpd.c
+++ b/src/tftpd.c
@@ -864,9 +864,8 @@ nak (int error)
pe->e_msg = strerror (error - 100);
tp->th_code = EUNDEF; /* set 'undef' errorcode */
}
- strcpy (tp->th_msg, pe->e_msg);
length = strlen (pe->e_msg);
- tp->th_msg[length] = '\0';
+ memcpy(tp->th_msg, pe->e_msg, length + 1);
length += 5;
if (sendto (peer, buf, length, 0, (struct sockaddr *) &from,
fromlen) != length)
syslog (LOG_ERR, "nak: %m\n");
In case you want to take a look to it.
Best regards!
--
Ricardo Ribalda
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [bug-inetutils] Buffer overflow on tftpd?,
Ricardo Ribalda Delgado <=