jeans/motioneyeos
jeans/motioneyeos
1
0
Fork 0
mirror of https://github.com/motioneye-project/motioneyeos.git synced 2025-07-25 20:26:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

package/pure-ftpd: fix CVE-2019-20176

Browse Source 
In Pure-FTPd 1.0.49, a stack exhaustion issue was discovered in the
listdir function in ls.c.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This commit is contained in:
Fabrice Fontaine 2020-02-29 21:34:15 +01:00 committed by Yann E. MORIN
parent 190964b668
commit cb7ac0c12e
2 changed files with 73 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
package/pure-ftpd/0001-listdir-reuse-a-single-buffer-to-store-every-file-name-to-display.patch Normal file
View File

@ -0,0 +1,70 @@
From aea56f4bcb9948d456f3fae4d044fd3fa2e19706 Mon Sep 17 00:00:00 2001
From: Frank Denis <github@pureftpd.org>
Date: Mon, 30 Dec 2019 17:40:04 +0100
Subject: [PATCH] listdir(): reuse a single buffer to store every file name to
display
Allocating a new buffer for each entry is useless.
And as these buffers are allocated on the stack, on systems with a
small stack size, with many entries, the limit can easily be reached,
causing a stack exhaustion and aborting the user session.
Reported by Antonio Morales from the GitHub Security Lab team, thanks!
[Retrieved from:
https://github.com/jedisct1/pure-ftpd/commit/aea56f4bcb9948d456f3fae4d044fd3fa2e19706]
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
src/ls.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/src/ls.c b/src/ls.c
index cf804c7..f8a588f 100644
--- a/src/ls.c
+++ b/src/ls.c
@@ -661,6 +661,8 @@ static void listdir(unsigned int depth, int f, void * const tls_fd,
char *names;
PureFileInfo *s;
PureFileInfo *r;
+ char *alloca_subdir;
+ size_t sizeof_subdir;
int d;
if (depth >= max_ls_depth || matches >= max_ls_files) {
@@ -690,14 +692,12 @@ static void listdir(unsigned int depth, int f, void * const tls_fd,
}
outputfiles(f, tls_fd);
r = dir;
+ sizeof_subdir = PATH_MAX + 1U;
+ if ((alloca_subdir = ALLOCA(sizeof_subdir)) == NULL) {
+ goto toomany;
+ }
while (opt_R && r != s) {
if (r->name_offset != (size_t) -1 && !chdir(FI_NAME(r))) {
- char *alloca_subdir;
- const size_t sizeof_subdir = PATH_MAX + 1U;
-
- if ((alloca_subdir = ALLOCA(sizeof_subdir)) == NULL) {
- goto toomany;
- }
if (SNCHECK(snprintf(alloca_subdir, sizeof_subdir, "%s/%s",
name, FI_NAME(r)), sizeof_subdir)) {
goto nolist;
@@ -706,8 +706,8 @@ static void listdir(unsigned int depth, int f, void * const tls_fd,
wrstr(f, tls_fd, alloca_subdir);
wrstr(f, tls_fd, ":\r\n\r\n");
listdir(depth + 1U, f, tls_fd, alloca_subdir);
+
nolist:
- ALLOCA_FREE(alloca_subdir);
if (matches >= max_ls_files) {
goto toomany;
}
@@ -720,6 +720,7 @@ static void listdir(unsigned int depth, int f, void * const tls_fd,
r++;
}
toomany:
+ ALLOCA_FREE(alloca_subdir);
free(names);
free(dir);
names = NULL;

3
package/pure-ftpd/pure-ftpd.mk
View File

@ -11,6 +11,9 @@ PURE_FTPD_LICENSE = ISC
PURE_FTPD_LICENSE_FILES = COPYING PURE_FTPD_LICENSE_FILES = COPYING
PURE_FTPD_DEPENDENCIES = $(if $(BR2_PACKAGE_LIBICONV),libiconv) PURE_FTPD_DEPENDENCIES = $(if $(BR2_PACKAGE_LIBICONV),libiconv)
# 0001-listdir-reuse-a-single-buffer-to-store-every-file-name-to-display.patch
PURE_FTPD_IGNORE_CVES += CVE-2019-20176
PURE_FTPD_CONF_OPTS = \ PURE_FTPD_CONF_OPTS = \
--with-altlog \ --with-altlog \
--with-puredb --with-puredb