From owner-freebsd-audit  Tue Aug 29  4:13:42 2000
Delivered-To: freebsd-audit@freebsd.org
Received: from burka.carrier.kiev.ua (burka.carrier.kiev.ua [193.193.193.107])
	by hub.freebsd.org (Postfix) with ESMTP
	id E376037B42C; Tue, 29 Aug 2000 04:13:38 -0700 (PDT)
Received: from netch@localhost
	by burka.carrier.kiev.ua  id OFF57814;
	Tue, 29 Aug 2000 14:13:33 +0300 (EEST)
	(envelope-from netch)
Date: Tue, 29 Aug 2000 14:13:33 +0300 (EEST)
Message-Id: <200008291113.OFF57814@burka.carrier.kiev.ua>
From: netch@carrier.kiev.ua (Valentin Nechayev)
To: Kris Kennaway <kris@FreeBSD.ORG>, freebsd-audit@FreeBSD.ORG
Subject: Re: ftp(1) patch
X-Newsgroups: lucky.freebsd.audit
In-Reply-To: <Pine.BSF.4.21.0008042101550.64027-100000@freefall.freebsd.org>
Organization: Lucky Netch Incorporated
User-Agent: tin/1.4.1-19991201 ("Polish") (UNIX) (FreeBSD/3.5-STABLE (i386))
Sender: owner-freebsd-audit@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Kris Kennaway wrote:

KK> Index: cmds.c
KK> ===================================================================
KK> RCS file: /home/ncvs/src/usr.bin/ftp/cmds.c,v
KK> retrieving revision 1.18
KK> diff -u -r1.18 cmds.c
KK> --- cmds.c	2000/06/24 15:34:30	1.18
KK> +++ cmds.c	2000/08/05 03:52:38
KK> @@ -125,7 +125,7 @@
KK>  	else
KK>  		comret = command("TYPE %s", p->t_mode);
KK>  	if (comret == COMPLETE) {
KK> -		(void)strcpy(typename, p->t_name);
KK> +		(void)strlcpy(typename, p->t_name, sizeof(typename));

In all these fixes, do you prove that resulting string cannot be cut?
strlcpy() provides only buffer nonoevrflowing, but not correctness of
result in buffer.

Consider change strlcpy in these fixes to:

size_t checked_strcopy( char* To, const char* From, size_t Size )
{
	register size_t Result = strlcpy( To, From, Size );
	if( Result >= Size )
		errx( EX_DATAERR, "too long string" );
	return Result;
}

Also, `linefull' variable is set, but is not cheched AFAIS elsewhere.


/netch


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message