![[LWN Logo]](/images/lwn.banner.gif)
Date: Thu, 2 Sep 1999 01:57:14 +0300
From: Liviu Daia <Liviu.Daia@imar.ro>
To: security-audit@ferret.lmh.ox.ac.uk
Subject: Re: State of proFTPd / 1.2.0pre5
On 1 September 1999, Martin Bogomolni <martinb@cobaltnet.com> wrote:
>
> Given that there is a current thread of converstation about FTP
> servers, I thought this might be an apropos moment to ask for some
> help with proFTPd.
[...]
> Anyone here care to spare some cycles eliminating the little nasties
> in there?
I took a quick at ProFTPd a few days ago, for reasons unrelated to
security (I was trying to fix a bug that seemed to be triggered on OSF/1
but not on Linux). It's one of the worst attempts I ever saw to achieve
OO design in plain C. As usual with this approach, passing arguments
to the "virtual" functions is awkward, and the code that actually does
it is sloppy at best. F.i. the cause for my problems on OSF/1 (64-bit
machine, big endian) was an uid_t value that was written to a (void *)
(the pointer itself, not a buffer it was pointing to), and cast later to
a (char *) and back to uid_t. The same thing is done in a lot of places
(including the user authentication code), and IMO this "feature" alone
has a huge potential of causing trouble.
As other people pointed out earlier, there are also sprintf()s all
over the place (_some_ of which have been replaced with snprintf() in
1.2.0pre4), some strncpy() may leave unterminated strings, and path
variables are copied to 256-bytes buffers (256 being a "magic number",
not a #define), sometimes with strcpy(). At that point I simply ditched
ProFTPd.
IMHO, auditing ProFTPd at this stage would be next to useless:
even trying to fix only the biggest problems in the code would require
a complete rewrite of large portions of the code. Which is indeed
unfortunate, since the set of features is very nice.
Regards,
Liviu Daia
--
Dr. Liviu Daia e-mail: Liviu.Daia@imar.ro
Institute of Mathematics web page: http://www.imar.ro/~daia
of the Romanian Academy PGP key: http://www.imar.ro/~daia/daia.asc