Bug 737016

Summary: ftp: off-by-one in account command parsing
Product: [Fedora] Fedora Reporter: Tomas Hoger <thoger>
Component: ftpAssignee: Jiri Skala <jskala>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: aglotov, jskala
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-09-09 13:54:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2011-09-09 11:15:37 UTC 
Description of problem:
See: http://www.exploit-db.com/exploits/17806/

Account name as shown there is too long for our ftp, but a name longer than 128 chars should do to reproduce.

The problem is in cmds.c account():

   1840      strncat(buf, *argv, sizeof(buf)-strlen(buf));
   1841      buf[sizeof(buf)-1] = 0;

strncat always writes terminating null, so this should say sizeof(buf)-strlen(buf)-1.  Line 1841 should be redundant.

So this is one byte overflow with '\0', triggered by (trusted) user input, caught by fortify source.