[krbdev.mit.edu #6521] ftp.c makes questionable use of strlen()

The RT System itself via RT rt-comment at krbdev.mit.edu
Fri Jun 26 17:48:47 EDT 2009 

>From krb5-bugs-incoming-bounces at PCH.mit.edu  Fri Jun 26 21:48:47 2009
Return-Path: <krb5-bugs-incoming-bounces at PCH.mit.edu>
X-Original-To: krb5-send-pr-nospam1 at krbdev.mit.edu
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
	by krbdev.mit.edu (Postfix) with ESMTP id 1D14D5C00D;
	Fri, 26 Jun 2009 21:48:47 +0000 (UTC)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n5QLmlPY030481;
	Fri, 26 Jun 2009 17:48:47 -0400
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
	[18.7.7.76])
	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n5QKKkMv010668
	for <krb5-bugs-incoming at PCH.mit.edu>; Fri, 26 Jun 2009 16:20:46 -0400
Received: from mit.edu (W92-130-BARRACUDA-3.MIT.EDU [18.7.21.224])
	by fort-point-station.mit.edu (8.13.6/8.9.2) with ESMTP id
	n5QKKd55024646
	for <krb5-bugs at mit.edu>; Fri, 26 Jun 2009 16:20:39 -0400 (EDT)
Received: from mx1.redhat.com (localhost [127.0.0.1])
	by mit.edu (Spam Firewall) with ESMTP id 7BA2C15775F9
	for <krb5-bugs at mit.edu>; Fri, 26 Jun 2009 16:20:37 -0400 (EDT)
Received: from mx1.redhat.com (mx1.redhat.com [66.187.233.31]) by mit.edu with
	ESMTP id ozPCFFqKYAZFG1XK for <krb5-bugs at mit.edu>;
	Fri, 26 Jun 2009 16:20:37 -0400 (EDT)
Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com
	[172.16.52.254])
	by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id n5QKKaXV025776
	for <krb5-bugs at mit.edu>; Fri, 26 Jun 2009 16:20:36 -0400
Received: from blade.bos.redhat.com (blade.bos.redhat.com [10.16.0.23])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id n5QKKaja000462
	for <krb5-bugs at mit.edu>; Fri, 26 Jun 2009 16:20:36 -0400
Received: from blade.bos.redhat.com (localhost.localdomain [127.0.0.1])
	by blade.bos.redhat.com (8.14.3/8.14.2) with ESMTP id n5QKKZ3D026285
	for <krb5-bugs at mit.edu>; Fri, 26 Jun 2009 16:20:36 -0400
Received: (from nalin at localhost)
	by blade.bos.redhat.com (8.14.3/8.14.3/Submit) id n5QKKZ8E026242;
	Fri, 26 Jun 2009 16:20:35 -0400
Date: Fri, 26 Jun 2009 16:20:35 -0400
Message-Id: <200906262020.n5QKKZ8E026242 at blade.bos.redhat.com>
To: krb5-bugs at mit.edu
Subject: questionable use of strlen() in ftp.c
From: Nalin Dahyabhai <nalin at redhat.com>
X-send-pr-version: 3.99
X-Scanned-By: MIMEDefang 2.42
X-Scanned-By: MIMEDefang 2.58 on 172.16.52.254
X-Spam-Score: 0.00
X-Spam-Flag: NO
X-Mailman-Approved-At: Fri, 26 Jun 2009 17:48:44 -0400
X-BeenThere: krb5-bugs-incoming at mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: nalin at redhat.com
Sender: krb5-bugs-incoming-bounces at PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces at PCH.mit.edu


>Submitter-Id:	net
>Originator:	
>Organization:
>Confidential:	no
>Synopsis:	ftp.c makes questionable use of strlen()
>Severity:	non-critical
>Priority:	low
>Category:	krb5-appl
>Class:		sw-bug
>Release:	1.7
>Environment:
	
System: Linux blade.bos.redhat.com 2.6.29.4-167.fc11.x86_64 #1 SMP Wed May 27 17:27:08 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
Architecture: x86_64

>Description:
	Looking at the ftp sources, there's some odd use of strlen()
	where the intent appears to be to guard against having string
	buffers that aren't zero-terminated, but the code is instead
	writing a zero byte to a location which we know already has
	that value.
>How-To-Repeat:
	(Haven't noticed any odd behavior.)
>Fix:
	This patch fixes the instances where it looks like something based
	on the size of the destination buffer was intended:

Index: src/appl/gssftp/ftp/ftp.c
===================================================================
--- src/appl/gssftp/ftp/ftp.c	(revision 22423)
+++ src/appl/gssftp/ftp/ftp.c	(working copy)
@@ -1655,21 +1655,21 @@
 	ip->ntflg = ntflag;
 	ntflag = op->ntflg;
 	(void) strncpy(ip->nti, ntin, sizeof(ip->nti) - 1);
-	(ip->nti)[strlen(ip->nti)] = '\0';
+	(ip->nti)[sizeof(ip->nti) - 1] = '\0';
 	(void) strncpy(ntin, op->nti, sizeof(ntin) - 1);
 	ntin[sizeof(ntin) - 1] = '\0';
 	(void) strncpy(ip->nto, ntout, sizeof(ip->nto) - 1);
-	(ip->nto)[strlen(ip->nto)] = '\0';
+	(ip->nto)[sizeof(ip->nto) - 1] = '\0';
 	(void) strncpy(ntout, op->nto, sizeof(ntout) - 1);
 	ntout[sizeof(ntout) - 1] = '\0';
 	ip->mapflg = mapflag;
 	mapflag = op->mapflg;
-	(void) strncpy(ip->mi, mapin, MAXPATHLEN - 1);
-	(ip->mi)[strlen(ip->mi)] = '\0';
+	(void) strncpy(ip->mi, mapin, sizeof(ip->mi) - 1);
+	(ip->mi)[sizeof(ip->mi) - 1] = '\0';
 	(void) strncpy(mapin, op->mi, sizeof(mapin) - 1);
 	mapin[sizeof(mapin) - 1] = '\0';
-	(void) strncpy(ip->mo, mapout, MAXPATHLEN - 1);
-	(ip->mo)[strlen(ip->mo)] = '\0';
+	(void) strncpy(ip->mo, mapout, sizeof(ip->mo) - 1);
+	(ip->mo)[sizeof(ip->mo) - 1] = '\0';
 	(void) strncpy(mapout, op->mo, sizeof(mapout) - 1);
 	mapout[sizeof(mapout) - 1] = '\0';
 	ip->authtype = auth_type;

More information about the krb5-bugs mailing list