Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
Summary: CVE-2006-5815: proftpd unspecified vulnerability
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820
------- Additional Comments From paul(a)city-fan.org 2006-11-17 13:41 EST -------
Created an attachment (id=141513)
--> (
https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=141513&action=...)
Revised version of proftpd-1.3.0-cmdbufsize.patch
The patch in CVS (Comment #2) appears to dereference a null pointer in the
default case where the config file doesn't have a CommandBufferSize specified:
if (cmd_buf_size == -1) {
- long *buf_size = get_param_ptr(main_server->conf,
- "CommandBufferSize", FALSE);
+ int *bufsz = get_param_ptr(main_server->conf, "CommandBufferSize",
+ FALSE);
- if (buf_size == NULL || *buf_size <= 0)
- cmd_buf_size = 512;
+ if (bufsz == NULL ||
+ *bufsz <= 0) {
+ pr_log_pri(PR_LOG_WARNING, "invalid CommandBufferSize size (%d) "
+ "given, resetting to default buffer size (%u)",
+ *bufsz, (unsigned int) PR_DEFAULT_CMD_BUFSZ);
+ cmd_buf_size = PR_DEFAULT_CMD_BUFSZ;
In the case where bufsz is NULL, there is a reference to *bufsz when the log
message is done. I found this caused a segfault immediately on connection.
Attached patch handles the cases of "buf_size == NULL" and "*buf_size <=
0"
separately.
--
Configure bugmail:
https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.