Project

General

Profile

Actions

Security #5024

closed

ftp: GetLine function buffers data indefinitely if 0x0a was not found int the frag'd input

Added by Shivani Bhardwaj almost 3 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Label:
CVE:
Git IDs:

cf8ed576e09a68886760259055e309e51bf5bec3

Severity:
HIGH
Disclosure Date:

Description

We tend to execute


           ptmp = FTPRealloc(line_state->db, line_state->db_len,
                             (line_state->db_len + state->input_len));
            if (ptmp == NULL) {
                FTPFree(line_state->db, line_state->db_len);
                line_state->db = NULL;
                line_state->db_len = 0; 
                return -1;
            }
            line_state->db = ptmp;

            memcpy(line_state->db + line_state->db_len,
                   state->input, state->input_len);
            line_state->db_len += state->input_len;
        }    
        state->input += state->input_len;
        state->input_len = 0; 

indefinitely.


Related issues 4 (0 open4 closed)

Related to Suricata - Bug #5235: ftp: add event when command request or response is too longClosedJason IshActions
Related to Suricata - Bug #5281: ftp: don't let first incomplete segment be over maximum lengthClosedJason IshActions
Copied to Suricata - Security #5025: ftp: GetLine function buffers data indefinitely if 0x0a was not found int the frag'd inputClosedJason IshActions
Copied to Suricata - Security #5026: ftp: GetLine function buffers data indefinitely if 0x0a was not found in the frag'd inputClosedJason IshActions
Actions #1

Updated by Shivani Bhardwaj almost 3 years ago

  • Copied to Security #5025: ftp: GetLine function buffers data indefinitely if 0x0a was not found int the frag'd input added
Actions #2

Updated by Shivani Bhardwaj almost 3 years ago

  • Copied to Security #5026: ftp: GetLine function buffers data indefinitely if 0x0a was not found in the frag'd input added
Actions #3

Updated by Jason Ish over 2 years ago

  • Status changed from Assigned to In Review
  • Assignee changed from Shivani Bhardwaj to Jason Ish
Actions #4

Updated by Jason Ish over 2 years ago

  • Related to Bug #5235: ftp: add event when command request or response is too long added
Actions #5

Updated by Victor Julien over 2 years ago

  • Tracker changed from Bug to Security
  • Severity set to HIGH
Actions #6

Updated by Victor Julien over 2 years ago

  • Status changed from In Review to Closed
  • Git IDs updated (diff)
Actions #7

Updated by Jason Ish over 2 years ago

  • Related to Bug #5281: ftp: don't let first incomplete segment be over maximum length added
Actions #8

Updated by Victor Julien about 2 years ago

  • Private changed from Yes to No
  • Label deleted (Needs backport to 5.0, Needs backport to 6.0)
Actions

Also available in: Atom PDF