Bugzilla – Bug 150399
gftp-2.0.18-11: 2 * array subscript out of range
Last modified: 2009-10-13 22:44:18 UTC
I just tried to compile package gftp-2.0.18-11 with the Intel C compiler. It said 1. fsplib.c(617): warning #175: subscript out of range The source code is entry->d_name[MAXNAMLEN + 1 ] = '\0'; Suggest code rework. Maybe the programmer intended entry->d_name[MAXNAMLEN] = '\0'; 2. fsplib.c(683): warning #175: subscript out of range The source code is entry->name[255 + 1] = '\0'; Suggest code rework. Maybe the programmer intended entry->name[255] = '\0';
More like [MAXLEN - 1] but this cannot be said without any complete context here. If this creates an actual problem, please reopen.
(In reply to comment #1) > More like [MAXLEN - 1] but this cannot be said without any complete context > here. If this creates an actual problem, please reopen. Oh no. The code is certainly broken, but I have to demonstrate it breaking before it can be fixed ? That sounds less than optimal to me. It could easily be the case that the suggested fix is wrong.
Well then where is the declaration of this field, show why this code is broken and provide a testcase to provoke the problem.
(In reply to comment #3) > Well then where is the declaration of this field, show why this code is broken > and provide a testcase to provoke the problem. fsplib.c(617): warning #175: subscript out of range The source code is entry->d_name[MAXNAMLEN + 1 ] = '\0'; but linux:/usr/src/packages/SPECS # find /usr/include -name \*.h -print | xargs grep "define.*MAXNAMLEN" /usr/include/dirent.h:# define MAXNAMLEN NAME_MAX /usr/include/dirent.h:# define MAXNAMLEN 255 and linux:/usr/src/packages/SPECS # find /usr/include -name \*.h -print | xargs grep "define.* NAME_MAX" /usr/include/linux/limits.h:#define NAME_MAX 255 /* # chars in a file name */ so the source code is trying to access entry->d_name[ 256]. Also linux:/usr/src/packages/SPECS # find /usr/include -name \*.h -print | xargs fgrep "d_name[" /usr/include/bits/dirent.h: char d_name[256]; /* We must not include limits.h! */ /usr/include/bits/dirent.h: char d_name[256]; /* We must not include limits.h! */ /usr/include/linux/dirent.h: char d_name[256]; /* We must not include limits.h! */ /usr/include/linux/dirent.h: char d_name[256]; So it is hopefully clear that the source code tried to index 256 into a 256 char array. This seems to be broken code. Suggest code rework. Maybe the programmer intended entry->d_name[MAXNAMLEN] = '\0'; 2. fsplib.c(683): warning #175: subscript out of range The source code is entry->name[255 + 1] = '\0'; Suggest code rework. Maybe the programmer intended entry->name[255] = '\0'; As far as demonstrating the fault at run time is concerned, I'm pretty sure almost any use of valgrind [ www.valgrind.org ] will find the fault. You *do* use valgrind in normal testing, don't you ?
Stanislav: Please fix that.
Fixed.
single zero byte overflow got CVE-2006-7221
CVE-2006-7221: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)