Project

General

Profile

Actions
Copy link

Security #2949

closed

rust/ftp: panic in ftp parser (master)

Added by Victor Julien over 5 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jason Ish
Target version:
5.0beta1
Affected Versions:
4.1.4
Label:
CVE:
2019-10055
Git IDs:

9d75fdc6eafcbbc47b6cff5d54cc8bf86237585e

Severity:
Disclosure Date:

Description

From reporter:

==14001== ERROR: libFuzzer: deadly signal
...
#16 0x561102d178e8 in suricata::ftp::ftp_pasv_response::h60c6b1ddc31e5372 /home/sirko/Projects/CI/fuzzing/suricata-
fuzzing.2/rust/src/ftp/mod.rs:54:16
#17 0x561102ce4475 in rs_ftp_pasv_response /home/sirko/Projects/CI/fuzzing/suricata-fuzzing.2/rust/src/ftp/mod.rs:63:10
#18 0x561102c2bf4b in rust_fuzzer_test_input /home/sirko/Projects/CI/fuzzing/suricata-fuzzing.2/rust/fuzz/fuzz_targets/
fuzz_ftp.rs:6:4
#19 0x561102e99dd4 in libfuzzer_sys::test_input_wrap::_$u7b$$u7b$closure$u7d$$u7d$::h29c9181044b7489b
/home/sirko/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/4a41319/src/lib.rs:11:8
#20 0x561102ee0edd in std::panicking::try::do_call::hd66afc279650fe66
/rustc/0f88167f89fffe321590c5148f21b7d51d44388d/src/libstd/panicking.rs:293:39
#21 0x561102ef30f8 in __rust_maybe_catch_panic /rustc/0f88167f89fffe321590c5148f21b7d51d44388d/src/libpanic_abort/
lib.rs:29:4

The passive response decoder returns a u16, however the method of calculating the port value can create a value greater than a u16 can hold leading to a panic.

Related issues 1 (0 open1 closed)

Copied from Suricata - Security #2904: rust/ftp: panic in ftp parserClosedJason IshActions
Actions
Copy link

Also available in: Atom PDF