Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1311602 - vsftpd segfaults in vsf_sysutil_strndup .
Summary: vsftpd segfaults in vsf_sysutil_strndup .
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: vsftpd
Version: rawhide
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Martin Sehnoutka
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-02-24 15:00 UTC by Tomáš Hozza
Modified: 2016-07-12 23:53 UTC (History)
4 users (show)

Fixed In Version: vsftpd-3.0.3-2.fc23
Doc Type: Bug Fix
Doc Text:
Clone Of: 1222386
Environment:
Last Closed: 2016-07-12 23:53:51 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Tomáš Hozza 2016-02-24 15:00:19 UTC
+++ This bug was initially created as a clone of Bug #1222386 +++

Description of problem:
Vsftpd crashes while parsing the conf


Version-Release number of selected component (if applicable):
latest


Actual results:

vsftpd crahes
Expected results:

vsftpd should not crash
Additional info:

--- Additional comment from Susant Sahani on 2015-05-18 08:16:59 CEST ---

(gdb) bt
#0  vsf_sysutil_strndup (p_str=0x7f99431e3311 "", p_len=4294967295) at sysutil.c:1056
#1  0x00007f994191544c in vsf_parseconf_load_setting (p_setting=<value optimized out>, errs_fatal=<value optimized out>) at parseconf.c:280
#2  0x00007f99419156ab in vsf_parseconf_load_file (p_filename=<value optimized out>, errs_fatal=1) at parseconf.c:243
#3  0x00007f994190b138 in main (argc=2, argv=0x7fff18596218) at main.c:93
(gdb) f 0
#0  vsf_sysutil_strndup (p_str=0x7f99431e3311 "", p_len=4294967295) at sysutil.c:1056
1056	  new[p_len]='\0';
(gdb) p  new[p_len]
Cannot access memory at address 0x7f9a431e324f <========= crashing because of bad/corrupt address.
(gdb) p new
$1 = 0x7f99431e3250 ""

--- Additional comment from Susant Sahani on 2015-05-18 09:57:39 CEST ---

This crashing because the parser is not able to interpret that nothing after this conf value.

~~~
ftpd_banner=
~~~

and a tab space after the '='

Comment 1 Fedora Admin XMLRPC Client 2016-03-03 13:30:59 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 2 Martin Sehnoutka 2016-04-14 08:41:48 UTC
Fixed in:
vsftpd-3.0.3-2.fc23

Patch:
http://pkgs.fedoraproject.org/cgit/rpms/vsftpd.git/diff/vsftpd-2.2.2-blank-chars-overflow.patch?h=f23

Comment 3 Fedora Update System 2016-04-14 08:45:00 UTC
vsftpd-3.0.3-2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-61c40f55a7

Comment 4 Fedora Update System 2016-04-16 19:26:25 UTC
vsftpd-3.0.3-2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-61c40f55a7

Comment 5 Fedora Update System 2016-07-12 23:53:40 UTC
vsftpd-3.0.3-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.