[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug-inetutils] Buffer overflow on tftpd?

From: Ricardo Ribalda Delgado
Subject: [bug-inetutils] Buffer overflow on tftpd?
Date: Thu, 18 Jul 2019 14:34:41 +0200


I have compiled ftfpd with gcc 8.3 and Glibc 2.29. I use it with
xinetd 2.3.15. When I request the server an inexistent file, the
server dies with :

*** buffer overflow detected ***

After some debugging I figured out that the error is in nack(error) at:

strcpy (tp->th_msg, pe->e_msg);

For more that I see the code, I cannot find the overflow. buff has
enough space to fetch 15 bytes, but maybe I am too old for this kind
of bugs :)

This patch fixes the problem for me:

diff --git a/src/tftpd.c b/src/tftpd.c
index 56002a0..144012f 100644
--- a/src/tftpd.c
+++ b/src/tftpd.c
@@ -864,9 +864,8 @@ nak (int error)
       pe->e_msg = strerror (error - 100);
       tp->th_code = EUNDEF; /* set 'undef' errorcode */
-  strcpy (tp->th_msg, pe->e_msg);
   length = strlen (pe->e_msg);
-  tp->th_msg[length] = '\0';
+  memcpy(tp->th_msg, pe->e_msg, length + 1);
   length += 5;
   if (sendto (peer, buf, length, 0, (struct sockaddr *) &from,
fromlen) != length)
     syslog (LOG_ERR, "nak: %m\n");

In case you want to take a look to it.

Best regards!

Ricardo Ribalda

reply via email to

[Prev in Thread] Current Thread [Next in Thread]