DoS in PureFTPd - continue.



     After carefully read the source PureFTPd and talk with autor PureFTPd i must apologize for false alarm about DoS in PureFTPd, becouse the messy code will never be executed. Looked once more for source - function displayrate():



"in file src/ftpd.c"

static void displayrate(const char *word, off_t size,

                        const double started,

                        const char * const name, int up)

{

...

...

        char *resolved_path;

...

...

        resolved_path[sizeof_resolved_path - 1U] = 0;

        if (realpath(name, resolved_path) == NULL) {

...

...

        if (resolved_path[sizeof_resolved_path - 1U] != 0) {

            for (;;) {

                *resolved_path++ = 0;

            }

        }

...

...

}



After do loop for() PureFTPd exec is function realpath() (in file src/bsd-realpath.c function bsd_realpath()). Looked for her carefully:



"src/bsd_realpath.c"

char *bsd_realpath(const char *path, char *resolved)

{

    char wbuf[MAXPATHLEN + 1U];

...

...

    if (strlen(resolved) + strlen(wbuf) + (size_t) needslash + 

               (size_t) 1U > sizeof_resolved) { 

     errno = ENAMETOOLONG; 

     goto err1; 

    }

...

...

        (void) strcat(resolved, wbuf); /* flawfinder: ignore - safe, see above */

...

...

}



Before do strcat() and write to specific memory string (to do messy code that memory must be writed) function check the len and when he was longer then sizeof_resolved (sizeof_resolved is MAXPATHLEN) then function return ENAMETOOLONG. It indemnifies before DoS.



Regards Adam Zabrocki (pi3).