Actions
Bug #5281
closedftp: don't let first incomplete segment be over maximum length
Affected Versions:
Effort:
Difficulty:
Label:
Needs backport to 5.0, Needs backport to 6.0
Description
The first non-terminated ftp command segment is buffered with no size limit. This results in a subsequent segment causing an integer to enter a negative state which is then asserted on with a DEBUG_VALIDATE_BUG_ON. Make sure the first segment is subject to limits of subsequent segments.
Then result in non-debug-validate-bug-on builds is that the first logged segment can be up to 65k, but their should be no security related issue here as the right thing is already done for negative values.
Updated by Jason Ish about 3 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Jason Ish
- Target version changed from TBD to 7.0.0-beta1
- Affected Versions 6.0.5 added
- Label Needs backport to 5.0, Needs backport to 6.0 added
Updated by Jason Ish about 3 years ago
- Related to Security #5024: ftp: GetLine function buffers data indefinitely if 0x0a was not found int the frag'd input added
Updated by Jeff Lucovsky about 3 years ago
- Copied to Bug #5282: 6.0.x: ftp: don't let first incomplete segment be over maximum length added
Updated by Jeff Lucovsky about 3 years ago
- Copied to Bug #5283: 5.0.x: ftp: don't let first incomplete segment be over maximum length added
Updated by Philippe Antoine about 3 years ago
Found by oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46954
Updated by Philippe Antoine about 3 years ago
- Status changed from Assigned to Closed
Actions