xu-wang11 / ftpserver Goto Github PK

hello, I'm just learning ftp protocol
found some bugs here and just make a mark
don't mind ^ ^

1 ftpserver.c:recv_msg

• cmd and argument is default null
• not force \r\n end
  what if len(buf)<=2 ?
  ex: buf="aa" then *cmd = _substring(*buf, 0, 2-2)
  cmd = null and will cause null deference in handle_client_command when call strcmp
  server will crash

	int index = _find_first_of(*buf, ' ');
	if (index < 0) {
		*cmd = _substring(*buf, 0, strlen(*buf) - 2)

2 handle_client_command:handle_PASS

the problem just like the first one
what if I send

send('USER anonymous\r\n')
send('PASS\r\n')

then the argument value will be null
when handle_PASS called
strcpy(client->_pass, pass); cause null deference

3 handle_USER handle_PASS

heap overflow in handle_USER and handle_PASS
struct FtpClient only have name[20] pass[20]
size is fix 20
but it can recv more then 20 bytes
what if

send('USER anonymous\r\n')
send('PASS '+'a'*0x100+'\r\n') # buffer overflow
send('QUIT\r\n')

the will free heap chunk which is overwrote, crash the server

handle_PWD handle_CWD handle_RETR

dir fix buf size

if there have a dir size larger than 300 something bad happend

just like

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/

cause stack overflow and heap overflow

Hi,

I'm considering forking your code for FtpServer for use as a very small ftpd that I can use on my laptop.

What type of license are you releasing the software under, or do you consider it to be in the public domain?