Date: Thu, 2 Sep 1999 01:57:14 +0300 From: Liviu Daia <Liviu.Daia@imar.ro> To: security-audit@ferret.lmh.ox.ac.uk Subject: Re: State of proFTPd / 1.2.0pre5 On 1 September 1999, Martin Bogomolni <martinb@cobaltnet.com> wrote: > > Given that there is a current thread of converstation about FTP > servers, I thought this might be an apropos moment to ask for some > help with proFTPd. [...] > Anyone here care to spare some cycles eliminating the little nasties > in there? I took a quick at ProFTPd a few days ago, for reasons unrelated to security (I was trying to fix a bug that seemed to be triggered on OSF/1 but not on Linux). It's one of the worst attempts I ever saw to achieve OO design in plain C. As usual with this approach, passing arguments to the "virtual" functions is awkward, and the code that actually does it is sloppy at best. F.i. the cause for my problems on OSF/1 (64-bit machine, big endian) was an uid_t value that was written to a (void *) (the pointer itself, not a buffer it was pointing to), and cast later to a (char *) and back to uid_t. The same thing is done in a lot of places (including the user authentication code), and IMO this "feature" alone has a huge potential of causing trouble. As other people pointed out earlier, there are also sprintf()s all over the place (_some_ of which have been replaced with snprintf() in 1.2.0pre4), some strncpy() may leave unterminated strings, and path variables are copied to 256-bytes buffers (256 being a "magic number", not a #define), sometimes with strcpy(). At that point I simply ditched ProFTPd. IMHO, auditing ProFTPd at this stage would be next to useless: even trying to fix only the biggest problems in the code would require a complete rewrite of large portions of the code. Which is indeed unfortunate, since the set of features is very nice. Regards, Liviu Daia -- Dr. Liviu Daia e-mail: Liviu.Daia@imar.ro Institute of Mathematics web page: http://www.imar.ro/~daia of the Romanian Academy PGP key: http://www.imar.ro/~daia/daia.asc