Project

General

Profile

Actions
Copy link

Security #5024

closed

ftp: GetLine function buffers data indefinitely if 0x0a was not found int the frag'd input

Added by Shivani Bhardwaj almost 3 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jason Ish
Target version:
7.0.0-beta1
Affected Versions:
Label:
CVE:
Git IDs:

cf8ed576e09a68886760259055e309e51bf5bec3

Severity:
HIGH
Disclosure Date:

Description

We tend to execute


           ptmp = FTPRealloc(line_state->db, line_state->db_len,
                             (line_state->db_len + state->input_len));
            if (ptmp == NULL) {
                FTPFree(line_state->db, line_state->db_len);
                line_state->db = NULL;
                line_state->db_len = 0; 
                return -1;
            }
            line_state->db = ptmp;

            memcpy(line_state->db + line_state->db_len,
                   state->input, state->input_len);
            line_state->db_len += state->input_len;
        }    
        state->input += state->input_len;
        state->input_len = 0;

indefinitely.

Related issues 4 (0 open4 closed)

Related to Suricata - Bug #5235: ftp: add event when command request or response is too longClosedJason IshActions
Related to Suricata - Bug #5281: ftp: don't let first incomplete segment be over maximum lengthClosedJason IshActions
Copied to Suricata - Security #5025: ftp: GetLine function buffers data indefinitely if 0x0a was not found int the frag'd inputClosedJason IshActions
Copied to Suricata - Security #5026: ftp: GetLine function buffers data indefinitely if 0x0a was not found in the frag'd inputClosedJason IshActions
Actions
Copy link

Also available in: Atom PDF