Subject: pkg/23963: possible buffer overflow in lukemftp
To: None <gnats-bugs@gnats.NetBSD.org>
From: None <philippe.oechslin@epfl.ch>
List: netbsd-bugs
Date: 01/03/2004 23:22:05
>Number:         23963
>Category:       pkg
>Synopsis:       possible buffer overflow in lukemftp
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Jan 03 23:23:00 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator:     philippe oechslin
>Release:        suse linux 8.2, lukemftp 1.5
>Organization:
LASEC / EPFL
>Environment:
Linux lasecpc12 2.4.20-4GB #1 Wed Dec 3 10:42:32 UTC 2003 i686 unknown unknown GNU/Linux

>Description:
If given a username that is too long, lukemftp gets confused and can not establish connections anymore. It is as if some data got stuck in some input buffer and prenvents other command to execute correctly.

In the example given, note that after having given a too long username, the next two user commands fail, the third one generates an "acct:" prompt and then the client is not capable of listing a directory.

For the bug to work, the second, third and forth user command must be given without parameter.
>How-To-Repeat:
ftp> o in1sun10
Connected to toto.epfl.ch.
220 toto FTP server ready.
Name (toto:oechslin): AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
331 Password required for AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.
Password:
530 Login incorrect.
ftp: Login failed.
ftp> user
(username) oechslin
530 Please login with USER and PASS.
Login failed.
ftp> user
(username) oechslin
530 Please login with USER and PASS.
Login failed.
ftp> user
(username) oechslin
331 Password required for oechslin.
Password:
331 Password required for oechslin.
Account:
230-                    User 1 (max. unlimited)
230-                Local Time is: Sun Jan  4 00:16:41 2004
230-
230 User oechslin logged in.
ftp> ls
500 'FEAT': command not understood.
500 'EPSV': command not understood.
227 Entering Passive Mode (128,178,164,44,143,211)
200 PORT command successful.
ftp>
ftp> ls
425 Can't build data connection: Connection refused.
ftp> ls
200 PORT command successful.
200 PORT command successful.
ftp> ls
425 Can't build data connection: Connection refused.
ftp> ls
200 PORT command successful.
200 PORT command successful.
ftp> ls
425 Can't build data connection: Connection refused.
ftp> ls
200 PORT command successful.
200 PORT command successful.
ftp>


>Fix:

>Release-Note:
>Audit-Trail:
>Unformatted: