Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1311602

Summary: vsftpd segfaults in vsf_sysutil_strndup .
Product: [Fedora] Fedora Reporter: Tomáš Hozza <thozza>
Component: vsftpdAssignee: Martin Sehnoutka <msehnout>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: jaskalnik, mnagy, mosvald, thozza
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: vsftpd-3.0.3-2.fc23 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1222386 Environment:
Last Closed: 2016-07-12 23:53:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomáš Hozza 2016-02-24 15:00:19 UTC 
+++ This bug was initially created as a clone of Bug #1222386 +++

Description of problem:
Vsftpd crashes while parsing the conf


Version-Release number of selected component (if applicable):
latest


Actual results:

vsftpd crahes
Expected results:

vsftpd should not crash
Additional info:

--- Additional comment from Susant Sahani on 2015-05-18 08:16:59 CEST ---

(gdb) bt
#0  vsf_sysutil_strndup (p_str=0x7f99431e3311 "", p_len=4294967295) at sysutil.c:1056
#1  0x00007f994191544c in vsf_parseconf_load_setting (p_setting=<value optimized out>, errs_fatal=<value optimized out>) at parseconf.c:280
#2  0x00007f99419156ab in vsf_parseconf_load_file (p_filename=<value optimized out>, errs_fatal=1) at parseconf.c:243
#3  0x00007f994190b138 in main (argc=2, argv=0x7fff18596218) at main.c:93
(gdb) f 0
#0  vsf_sysutil_strndup (p_str=0x7f99431e3311 "", p_len=4294967295) at sysutil.c:1056
1056	  new[p_len]='\0';
(gdb) p  new[p_len]
Cannot access memory at address 0x7f9a431e324f <========= crashing because of bad/corrupt address.
(gdb) p new
$1 = 0x7f99431e3250 ""

--- Additional comment from Susant Sahani on 2015-05-18 09:57:39 CEST ---

This crashing because the parser is not able to interpret that nothing after this conf value.

~~~
ftpd_banner=
~~~

and a tab space after the '='
Comment 1 Fedora Admin XMLRPC Client 2016-03-03 13:30:59 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 2 Martin Sehnoutka 2016-04-14 08:41:48 UTC 
Fixed in:
vsftpd-3.0.3-2.fc23

Patch:
http://pkgs.fedoraproject.org/cgit/rpms/vsftpd.git/diff/vsftpd-2.2.2-blank-chars-overflow.patch?h=f23
Comment 3 Fedora Update System 2016-04-14 08:45:00 UTC 
vsftpd-3.0.3-2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-61c40f55a7
Comment 4 Fedora Update System 2016-04-16 19:26:25 UTC 
vsftpd-3.0.3-2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-61c40f55a7
Comment 5 Fedora Update System 2016-07-12 23:53:40 UTC 
vsftpd-3.0.3-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.