From owner-freebsd-security  Wed Nov 28  1:46:39 2001
Delivered-To: freebsd-security@freebsd.org
Received: from TYO201.gate.nec.co.jp (TYO201.gate.nec.co.jp [202.32.8.214])
	by hub.freebsd.org (Postfix) with ESMTP id 8F93A37B433
	for <freebsd-security@FreeBSD.ORG>; Wed, 28 Nov 2001 01:46:27 -0800 (PST)
Received: from mailgate4.nec.co.jp ([10.7.69.195])
	by TYO201.gate.nec.co.jp (8.11.6/3.7W01080315) with ESMTP id fAS9jwR10218;
	Wed, 28 Nov 2001 18:45:58 +0900 (JST)
Received: from mailsv4.nec.co.jp (mailgate51.nec.co.jp [10.7.69.190]) by mailgate4.nec.co.jp (8.11.6/3.7W-MAILGATE-NEC) with ESMTP
	id fAS9jsa12507; Wed, 28 Nov 2001 18:45:54 +0900 (JST)
Received: from necspl.do.mms.mt.nec.co.jp (necspl.do.mms.mt.nec.co.jp [10.16.5.21]) by mailsv4.nec.co.jp (8.11.6/3.7W-MAILSV4-NEC) with ESMTP
	id fAS9jsi11596; Wed, 28 Nov 2001 18:45:54 +0900 (JST)
Received: from localhost (localhost [127.0.0.1])
	by  necspl.do.mms.mt.nec.co.jp (8.12.1/8.12.1) with ESMTP id fAS9jrlC053712;
	Wed, 28 Nov 2001 18:45:54 +0900 (JST)
Date: Wed, 28 Nov 2001 18:45:53 +0900 (JST)
Message-Id: <20011128.184553.116411455.y-koga@jp.FreeBSD.org>
To: ache@nagual.pp.ru
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: wu-ftpd ?
From: Koga Youichirou <y-koga@jp.FreeBSD.org>
In-Reply-To: <20011128.183012.26333334.y-koga@jp.FreeBSD.org>
References: <20011128.122552.45455442.y-koga@jp.FreeBSD.org>
	<20011128084416.GA32507@nagual.pp.ru>
	<20011128.183012.26333334.y-koga@jp.FreeBSD.org>
X-Mailer: Mew version 3.0.50 on Emacs 21.1 / Mule 5.0 (SAKAKI)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

> The patch I sent is included in RedHat's wu-ftpd source package.
> There includes wu-ftpd-2.7.0-20010531.tar.bz2 in it and
> the patch is for 2.7.0-20010531 (although it is named as
> "wu-ftpd-2.6.1-sec.patch" ;).

and diff about src/glob.c from 2.6.1 to 2.7.0-20010531
(w/o wu-ftpd-2.6.1-sec.patch):

--- ../wu-ftpd-2.6.1/src/glob.c	Sun Jul  2 03:17:39 2000
+++ src/glob.c	Thu May 31 16:30:36 2001
@@ -1,5 +1,5 @@
 /****************************************************************************    
-  Copyright (c) 1999,2000 WU-FTPD Development Group.  
+  Copyright (c) 1999,2000,2001 WU-FTPD Development Group.  
   All rights reserved.
   
   Portions Copyright (c) 1980, 1985, 1988, 1989, 1990, 1991, 1993, 1994 
@@ -20,7 +20,7 @@
   If you did not receive a copy of the license, it may be obtained online 
   at http://www.wu-ftpd.org/license.html. 
   
-  $Id: glob.c,v 1.14 2000/07/01 18:17:39 wuftpd Exp $ 
+  $Id: glob.c,v 1.19 2001/05/30 12:59:07 wuftpd Exp $ 
   
 ****************************************************************************/
 /*
@@ -41,6 +41,7 @@
 #include <pwd.h>
 #include <errno.h>
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
 
 #include "proto.h"
@@ -48,6 +49,11 @@
 #define	QUOTE 0200
 #define	TRIM 0177
 #define	eq(a,b)		(strcmp(a, b)==0)
+
+#ifndef NCARGS
+#define NCARGS	20480		/* at least on SGI IRIX */
+#endif
+
 #define	GAVSIZ		(NCARGS/6)
 #define	isdir(d)	((d.st_mode & S_IFMT) == S_IFDIR)
 
@@ -174,19 +180,21 @@
 	sort();
 }
 
+static int
+argcmp(const void *p1, const void *p2)
+{
+    char *s1 = *(char **) p1;
+    char *s2 = *(char **) p2;
+
+    return (strcmp(s1, s2));
+}
+
 static void sort(void)
 {
-    register char **p1, **p2, *c;
     char **Gvp = &gargv[gargc];
 
-    p1 = sortbas;
-    while (p1 < Gvp - 1) {
-	p2 = p1;
-	while (++p2 < Gvp)
-	    if (strcmp(*p1, *p2) > 0)
-		c = *p1, *p1 = *p2, *p2 = c;
-	p1++;
-    }
+    if (!globerr)
+	qsort(sortbas, Gvp - sortbas, sizeof (*sortbas), argcmp);
     sortbas = Gvp;
 }
 
@@ -292,12 +300,15 @@
 static int execbrc(char *p, char *s)
 {
     char restbuf[BUFSIZ + 2];
+    char *restbufend = &restbuf[sizeof(restbuf)];
     register char *pe, *pm, *pl;
     int brclev = 0;
     char *lm, savec, *sgpathp;
 
-    for (lm = restbuf; *p != '{'; *lm++ = *p++)
-	continue;
+    for (lm = restbuf; *p != '{'; *lm++ = *p++) {
+	if (lm >= restbufend)
+	    return (0);
+    }
     for (pe = ++p; *pe; pe++)
 	switch (*pe) {
 
@@ -339,6 +350,8 @@
 	  doit:
 	    savec = *pm;
 	    *pm = 0;
+	    if (lm + strlen(pl) + strlen(pe + 1) >= restbufend)
+		return (0);
 	    (void) strcpy(lm, pl);
 	    (void) strcat(restbuf, pe + 1);
 	    *pm = savec;
@@ -538,8 +551,12 @@
 {
     register size_t len = strlen(s1) + strlen(s2) + 1;
 
+    if (globerr)
+	return;
     if (len >= gnleft || gargc >= GAVSIZ - 1)
 	globerr = "Arguments too long";
+    else if (len > MAXPATHLEN)
+	globerr = "Pathname too long";
     else {
 	gargc++;
 	gnleft -= len;
@@ -620,6 +637,7 @@
 {
     register char **av = av0;
 
+    if (av)
     while (*av)
 	free(*av++);
 }
@@ -627,7 +645,7 @@
 char *strspl(register char *cp, register char *dp)
 {
     register char *ep =
-    (char *) malloc((unsigned) (strlen(cp) + strlen(dp) + 1));
+	(char *) malloc((unsigned) (strlen(cp) + strlen(dp) + 1));
 
     if (ep == (char *) 0)
 	fatal("Out of memory");
@@ -652,6 +670,7 @@
 	cp++;
     return (cp);
 }
+
 /*
  * Extract a home directory from the password file
  * The argument points to a buffer where the name of the


-- Koga, Youichirou

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message