Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: CVE-2006-5815: proftpd unspecified vulnerability https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820 ------- Additional Comments From paul@xxxxxxxxxxxx 2006-11-17 13:41 EST ------- Created an attachment (id=141513) --> (https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=141513&action=view) Revised version of proftpd-1.3.0-cmdbufsize.patch The patch in CVS (Comment #2) appears to dereference a null pointer in the default case where the config file doesn't have a CommandBufferSize specified: > if (cmd_buf_size == -1) { > - long *buf_size = get_param_ptr(main_server->conf, > - "CommandBufferSize", FALSE); > + int *bufsz = get_param_ptr(main_server->conf, "CommandBufferSize", > + FALSE); > > - if (buf_size == NULL || *buf_size <= 0) > - cmd_buf_size = 512; > + if (bufsz == NULL || > + *bufsz <= 0) { > + pr_log_pri(PR_LOG_WARNING, "invalid CommandBufferSize size (%d) " > + "given, resetting to default buffer size (%u)", > + *bufsz, (unsigned int) PR_DEFAULT_CMD_BUFSZ); > + cmd_buf_size = PR_DEFAULT_CMD_BUFSZ; In the case where bufsz is NULL, there is a reference to *bufsz when the log message is done. I found this caused a segfault immediately on connection. Attached patch handles the cases of "buf_size == NULL" and "*buf_size <= 0" separately. -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. -- Fedora-security-list mailing list Fedora-security-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-security-list
