bernd.luevelsmeyerHEITEC.NET

• Next message: Andrew Lewis: "LeafChat Denial of Service"
• Previous message: yeti: "Re: FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options"
• In reply to: Lamagra Argamal: "ftpd: the advisory version"
• Next in thread: Sebastian: "Re: ftpd: the advisory version"
• Next in thread: Steven M. Bellovin: "Re: ftpd: the advisory version"
• Reply: Bernd Luevelsmeyer: "Re: ftpd: the advisory version"
• Reply: Sebastian: "Re: ftpd: the advisory version"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Lamagra Argamal wrote:
[...]
> There are some other bugs in site_exec like
> for (t = cmd; *t && !isspace(*t); t++) {
> if (isupper(*t)) {
> *t = tolower(*t);
> }
> }
>
> Sanitizing stops at a space?? (good thing I didn't tell you this, eh tf8)
[...]

According to the C standard, <ctype.h> functions operate on values that
are representable as a 'unsigned char' or EOF; hence, if the compiler's
'char' is signed then negative character values in the string 'cmd' are
possible and might cause unpredictable results in isspace(), isupper()
and tolower(). Because sanitizing shouldn't stop, and the test with
isupper() is unnecessary anyway (tolower() returns the unchanged value
if the parameter isn't an uppercase letter), I suggest:
     for (t = cmd; *t; t++)
             *t = tolower((unsigned char)*t);

• Next message: Andrew Lewis: "LeafChat Denial of Service"
• Previous message: yeti: "Re: FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options"
• In reply to: Lamagra Argamal: "ftpd: the advisory version"
• Next in thread: Sebastian: "Re: ftpd: the advisory version"
• Next in thread: Steven M. Bellovin: "Re: ftpd: the advisory version"
• Reply: Bernd Luevelsmeyer: "Re: ftpd: the advisory version"
• Reply: Sebastian: "Re: ftpd: the advisory version"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]