Hi @Gabe-commiter,
I found a issue, that can trigger buffer overflow on your application. The issue exists on do_retr() function (from line 706 to 791) on ftpproto.c
At glance, we can see you defined char arg[MAX_ARG]; , it's not problem, however, when you use sprintf() on line 718 and 721, they trigger bufferoverflow.
static void do_retr(session_t *sess)
{
<truncated>
....
char buf[MAX_BUFFER_SIZE] = {0}; // Defined buffer called buf with MAX_BUFFER_SIZE length
//2Åжϴ«Êäģʽ
if(sess->is_ascii)
// trigger the buffer overflow because length of sess->arg is defined 1024 length,
// in order that, when sprintf is executed, the buffer `buf` can be write total len("Opening ASCII mode data connection for ") + MAX_BUFFER_SIZE + len(" (%ld bytes)")
sprintf(buf, "Opening ASCII mode data connection for %s (%ld bytes)", sess->arg, sbuf.st_size);//Ascii
else
// trigger the buffer overflow because length of sess->arg is defined 1024 length,
// in order that, when sprintf is executed, the buffer `buf` can be write total len("Opening ASCII mode data connection for ") + MAX_BUFFER_SIZE + len(" (%ld bytes)")
sprintf(buf, "Opening BINARY mode data connection for %s (%ld bytes)", sess->arg, sbuf.st_size);
...
<truncated>
...
}
Hi @Gabe-commiter,
I found a issue, that can trigger buffer overflow on your application. The issue exists on
do_retr()function (from line 706 to 791) on ftpproto.cAt glance, we can see you defined
char arg[MAX_ARG];, it's not problem, however, when you usesprintf()on line 718 and 721, they trigger bufferoverflow.Solution: Please use
snprintf()to limit maximum input characters.See: https://www.geeksforgeeks.org/snprintf-c-library/
The text was updated successfully, but these errors were encountered: