Project

General

Profile

Actions

Security #5025

closed

ftp: GetLine function buffers data indefinitely if 0x0a was not found int the frag'd input

Added by Shivani Bhardwaj almost 3 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Label:
CVE:
Git IDs:

9f10e338108bc26ec53af6d5ac53126d06f723e5
b2da5e86ea9315ad876e50bb95dcb8be70f959b5

Severity:
MODERATE
Disclosure Date:

Description

We tend to execute


           ptmp = FTPRealloc(line_state->db, line_state->db_len,
                             (line_state->db_len + state->input_len));
            if (ptmp == NULL) {
                FTPFree(line_state->db, line_state->db_len);
                line_state->db = NULL;
                line_state->db_len = 0; 
                return -1;
            }
            line_state->db = ptmp;

            memcpy(line_state->db + line_state->db_len,
                   state->input, state->input_len);
            line_state->db_len += state->input_len;
        }    
        state->input += state->input_len;
        state->input_len = 0; 

indefinitely.


Related issues 1 (0 open1 closed)

Copied from Suricata - Security #5024: ftp: GetLine function buffers data indefinitely if 0x0a was not found int the frag'd inputClosedJason IshActions
Actions #1

Updated by Shivani Bhardwaj almost 3 years ago

  • Copied from Security #5024: ftp: GetLine function buffers data indefinitely if 0x0a was not found int the frag'd input added
Actions #2

Updated by Shivani Bhardwaj almost 3 years ago

  • Assignee changed from Shivani Bhardwaj to Jeff Lucovsky

The fix will have to be backported from 6.0.x and not master

Actions #3

Updated by Jason Ish over 2 years ago

  • Related to Bug #5235: ftp: add event when command request or response is too long added
Actions #4

Updated by Jason Ish over 2 years ago

  • Related to deleted (Bug #5235: ftp: add event when command request or response is too long)
Actions #5

Updated by Jason Ish over 2 years ago

  • Assignee changed from Jeff Lucovsky to Jason Ish
Actions #6

Updated by Jason Ish over 2 years ago

  • Status changed from Assigned to In Review
Actions #7

Updated by Victor Julien over 2 years ago

  • Status changed from In Review to Resolved

Fix staged.

Actions #8

Updated by Victor Julien over 2 years ago

  • Tracker changed from Bug to Security
  • Severity set to MODERATE
Actions #9

Updated by Jason Ish over 2 years ago

  • Status changed from Resolved to Closed
  • Git IDs updated (diff)
Actions #10

Updated by Victor Julien about 2 years ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF