some bugs

[luojiaqs]

hello, I'm just learning ftp protocol found some bugs here and just make a mark don't mind ^ ^

1 ftpserver.c:recv_msg

• cmd and argument is default null
• not force \r\n end what if len(buf)<=2 ? ex: buf="aa" then *cmd = _substring(*buf, 0, 2-2) cmd = null and will cause null deference in handle_client_command when call strcmp server will crash

	int index = _find_first_of(*buf, ' ');
	if (index < 0) {
		*cmd = _substring(*buf, 0, strlen(*buf) - 2)

2 handle_client_command:handle_PASS

the problem just like the first one what if I send

send('USER anonymous\r\n')
send('PASS\r\n')

then the argument value will be null when handle_PASS called strcpy(client->_pass, pass); cause null deference

3 handle_USER handle_PASS

heap overflow in handle_USER and handle_PASS struct FtpClient only have name[20] pass[20] size is fix 20 but it can recv more then 20 bytes what if

send('USER anonymous\r\n')
send('PASS '+'a'*0x100+'\r\n') # buffer overflow
send('QUIT\r\n')

the will free heap chunk which is overwrote, crash the server

handle_PWD handle_CWD handle_RETR

dir fix buf size

if there have a dir size larger than 300 something bad happend

just like

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/

cause stack overflow and heap overflow