Tracker: Bugs
cph@micro:~/security% cat crash-curl
220 Hi
230 Ok
227
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
cph@micro:~/security% cat crash-curl | nc -l -p 1234
then, in another terminal...
cph@micro:~% curl ftp://localhost:1234/
curl: Couldn't interpret this 227-reply: 227
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAA
zsh: segmentation fault curl ftp://localhost:1234/
It's a simple buffer overflow, which a malicious remote ftp server could
exploit. This fix causes the error message to be truncated to the buffer
size correctly, and I've verified that it fixes the crash.
--- sendf.c.orig Wed Oct 11 23:12:18 2000
+++ sendf.c Wed Oct 11 23:13:09 2000
@@ -77,7 +77,7 @@ void failf(struct UrlData *data, char *f
va_list ap;
va_start(ap, fmt);
if(data->errorbuffer)
- vsprintf(data->errorbuffer, fmt, ap);
+ vsnprintf(data->errorbuffer, URLGET_ERROR_SIZE, fmt, ap);
else /* no errorbuffer receives this, write to stderr instead */
vfprintf(stderr, fmt, ap);
va_end(ap);
Daniel Stenberg
libcurl
crash
Public
Comment ( 1 )
|
Date: 2000-10-12 08:18 Thanks! |
Attached File
No Files Currently Attached
Changes ( 4 )
About SourceForge
Develop Software
Community
Copyright © 2010 Geeknet, Inc. All rights reserved. Terms of Use
