some bugs #2
Description
hello, I'm just learning ftp protocol
found some bugs here and just make a mark
don't mind ^ ^
1 ftpserver.c:recv_msg
- cmd and argument is default null
- not force \r\n end
what if len(buf)<=2 ?
ex: buf="aa" then *cmd = _substring(*buf, 0, 2-2)
cmd = null and will cause null deference in handle_client_command when call strcmp
server will crash
int index = _find_first_of(*buf, ' ');
if (index < 0) {
*cmd = _substring(*buf, 0, strlen(*buf) - 2)2 handle_client_command:handle_PASS
the problem just like the first one
what if I send
send('USER anonymous\r\n')
send('PASS\r\n')then the argument value will be null
when handle_PASS called
strcpy(client->_pass, pass); cause null deference
3 handle_USER handle_PASS
heap overflow in handle_USER and handle_PASS
struct FtpClient only have name[20] pass[20]
size is fix 20
but it can recv more then 20 bytes
what if
send('USER anonymous\r\n')
send('PASS '+'a'*0x100+'\r\n') # buffer overflow
send('QUIT\r\n')the will free heap chunk which is overwrote, crash the server
handle_PWD handle_CWD handle_RETR
dir fix buf size
if there have a dir size larger than 300 something bad happend
just like
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/cause stack overflow and heap overflow