Project

General

Profile

Actions

Security #5026

closed

ftp: GetLine function buffers data indefinitely if 0x0a was not found in the frag'd input

Added by Shivani Bhardwaj almost 3 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Urgent
Assignee:
Target version:
Affected Versions:
Label:
CVE:
Git IDs:

008dd8bde59c405e0c9454508cd8a2adc6784559
746f0236f55f0af66cee8ebf9c4ffdd4cc054cc4

Severity:
MODERATE
Disclosure Date:

Description

We tend to execute


           ptmp = FTPRealloc(line_state->db, line_state->db_len,
                             (line_state->db_len + state->input_len));
            if (ptmp == NULL) {
                FTPFree(line_state->db, line_state->db_len);
                line_state->db = NULL;
                line_state->db_len = 0; 
                return -1;
            }
            line_state->db = ptmp;

            memcpy(line_state->db + line_state->db_len,
                   state->input, state->input_len);
            line_state->db_len += state->input_len;
        }    
        state->input += state->input_len;
        state->input_len = 0; 

indefinitely.


Related issues 1 (0 open1 closed)

Copied from Suricata - Security #5024: ftp: GetLine function buffers data indefinitely if 0x0a was not found int the frag'd inputClosedJason IshActions
Actions #1

Updated by Shivani Bhardwaj almost 3 years ago

  • Copied from Security #5024: ftp: GetLine function buffers data indefinitely if 0x0a was not found int the frag'd input added
Actions #2

Updated by Shivani Bhardwaj over 2 years ago

  • Priority changed from Normal to Urgent
Actions #3

Updated by Victor Julien over 2 years ago

  • Assignee changed from Shivani Bhardwaj to Jason Ish
Actions #4

Updated by Jason Ish over 2 years ago

  • Status changed from Assigned to In Review
Actions #5

Updated by Shivani Bhardwaj over 2 years ago

  • Status changed from In Review to Resolved
Actions #6

Updated by Victor Julien over 2 years ago

  • Tracker changed from Bug to Security
  • Severity set to MODERATE
Actions #7

Updated by Jason Ish over 2 years ago

  • Status changed from Resolved to Closed
  • Git IDs updated (diff)
Actions #8

Updated by Victor Julien about 2 years ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF