[Bug 214820] CVE-2006-5815: proftpd unspecified vulnerability
bugzilla at redhat.com
bugzilla at redhat.com
Fri Nov 17 18:41:37 UTC 2006
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
Summary: CVE-2006-5815: proftpd unspecified vulnerability
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=214820
------- Additional Comments From paul at city-fan.org 2006-11-17 13:41 EST -------
Created an attachment (id=141513)
--> (https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=141513&action=view)
Revised version of proftpd-1.3.0-cmdbufsize.patch
The patch in CVS (Comment #2) appears to dereference a null pointer in the
default case where the config file doesn't have a CommandBufferSize specified:
> if (cmd_buf_size == -1) {
> - long *buf_size = get_param_ptr(main_server->conf,
> - "CommandBufferSize", FALSE);
> + int *bufsz = get_param_ptr(main_server->conf, "CommandBufferSize",
> + FALSE);
>
> - if (buf_size == NULL || *buf_size <= 0)
> - cmd_buf_size = 512;
> + if (bufsz == NULL ||
> + *bufsz <= 0) {
> + pr_log_pri(PR_LOG_WARNING, "invalid CommandBufferSize size (%d) "
> + "given, resetting to default buffer size (%u)",
> + *bufsz, (unsigned int) PR_DEFAULT_CMD_BUFSZ);
> + cmd_buf_size = PR_DEFAULT_CMD_BUFSZ;
In the case where bufsz is NULL, there is a reference to *bufsz when the log
message is done. I found this caused a segfault immediately on connection.
Attached patch handles the cases of "buf_size == NULL" and "*buf_size <= 0"
separately.
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
More information about the security
mailing list