Actions
Bug #5281
closedftp: don't let first incomplete segment be over maximum length
Affected Versions:
Effort:
Difficulty:
Label:
Needs backport to 5.0, Needs backport to 6.0
Description
The first non-terminated ftp command segment is buffered with no size limit. This results in a subsequent segment causing an integer to enter a negative state which is then asserted on with a DEBUG_VALIDATE_BUG_ON
. Make sure the first segment is subject to limits of subsequent segments.
Then result in non-debug-validate-bug-on builds is that the first logged segment can be up to 65k, but their should be no security related issue here as the right thing is already done for negative values.
Updated by Jason Ish 10 months ago
- Related to Security #5024: ftp: GetLine function buffers data indefinitely if 0x0a was not found int the frag'd input added
Updated by Jeff Lucovsky 10 months ago
- Copied to Bug #5282: 6.0.x: ftp: don't let first incomplete segment be over maximum length added
Updated by Jeff Lucovsky 10 months ago
- Copied to Bug #5283: 5.0.x: ftp: don't let first incomplete segment be over maximum length added
Updated by Philippe Antoine 10 months ago
Found by oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46954
Updated by Philippe Antoine 9 months ago
- Status changed from Assigned to Closed
Actions