[Bug 214820] CVE-2006-5815: proftpd unspecified vulnerability

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.

Summary: CVE-2006-5815: proftpd unspecified vulnerability


https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820





------- Additional Comments From paul@xxxxxxxxxxxx  2006-11-17 13:41 EST -------
Created an attachment (id=141513)
 --> (https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=141513&action=view)
Revised version of proftpd-1.3.0-cmdbufsize.patch

The patch in CVS (Comment #2) appears to dereference a null pointer in the
default case where the config file doesn't have a CommandBufferSize specified:

>      if (cmd_buf_size == -1) {
> -	 long *buf_size = get_param_ptr(main_server->conf,
> -	   "CommandBufferSize", FALSE);
> +	 int *bufsz = get_param_ptr(main_server->conf, "CommandBufferSize",
> +	   FALSE);
>  
> -	 if (buf_size == NULL || *buf_size <= 0)
> -	   cmd_buf_size = 512;
> +	 if (bufsz == NULL ||
> +	     *bufsz <= 0) {
> +   pr_log_pri(PR_LOG_WARNING, "invalid CommandBufferSize size (%d) "
> +	     "given, resetting to default buffer size (%u)",
> +	     *bufsz, (unsigned int) PR_DEFAULT_CMD_BUFSZ);
> +	   cmd_buf_size = PR_DEFAULT_CMD_BUFSZ;

In the case where bufsz is NULL, there is a reference to *bufsz when the log
message is done. I found this caused a segfault immediately on connection.

Attached patch handles the cases of "buf_size == NULL" and "*buf_size <= 0"
separately.

-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

--
Fedora-security-list mailing list
Fedora-security-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-security-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Coolkey]

  Powered by Linux