Package: gftp
Version: 2.0.18-16
Severity: important
Tags: patch, security
gftp seems vulnerable to CVE-2006-7221:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-7221
"Multiple off-by-one errors in fsplib.c in fsplib before 0.8 allow
attackers to cause a denial of service via unspecified vectors involving
the (1) name and (2) d_name entry attributes."
Attached patch includes the upstream fsplib changes.
--
Kees Cook @outflux.net
--- gftp-2.0.18.orig/lib/fsplib/fsplib.c
+++ gftp-2.0.18/lib/fsplib/fsplib.c
@@ -612,9 +612,9 @@
entry->d_reclen = fentry.reclen;
strncpy(entry->d_name,fentry.name,MAXNAMLEN);
- if (fentry.namlen > MAXNAMLEN)
+ if (fentry.namlen >= MAXNAMLEN)
{
- entry->d_name[MAXNAMLEN + 1 ] = '\0';
+ entry->d_name[MAXNAMLEN] = '\0';
#ifdef HAVE_NAMLEN
entry->d_namlen = MAXNAMLEN;
} else
@@ -680,9 +680,19 @@
/* skip file date and file size */
dir->dirpos += 9;
/* read file name */
- entry->name[255 + 1] = '\0';
- strncpy(entry->name,(char *)( dir->data + dir->dirpos ),MAXNAMLEN);
+ entry->name[255] = '\0';
+ strncpy(entry->name,(char *)( dir->data + dir->dirpos ),255);
+ /* check for ASCIIZ encoded filename */
+ if (memchr(dir->data + dir->dirpos,0,dir->datasize - dir->dirpos) != NULL)
+ {
namelen = strlen( (char *) dir->data+dir->dirpos);
+ }
+ else
+ {
+ /* \0 terminator not found at end of filename */
+ *result = NULL;
+ return 0;
+ }
/* skip over file name */
dir->dirpos += namelen +1;
@@ -709,12 +719,12 @@
struct dirent * fsp_readdir(FSP_DIR *dirp)
{
- static struct dirent entry;
+ static dirent_workaround entry;
struct dirent *result;
if (dirp == NULL) return NULL;
- if ( fsp_readdir_r(dirp,&entry,&result) )
+ if ( fsp_readdir_r(dirp,&entry.dirent,&result) )
return NULL;
else
return result;
--- gftp-2.0.18.orig/lib/fsplib/fsplib.h
+++ gftp-2.0.18/lib/fsplib/fsplib.h
@@ -1,13 +1,17 @@
#ifndef _FSPLIB_H
#define _FSPLIB_H 1
#include <time.h>
+#include <dirent.h>
+#include <sys/stat.h>
+#include <stddef.h>
+
/* The FSP v2 protocol support library - public interface */
/*
This file is part of fsplib - FSP protocol stack implemented in C
language. See http://fsp.sourceforge.net for more information.
-Copyright (c) 2003-2005 by Radim HSN Kolar ([EMAIL PROTECTED])
+Copyright (c) 2003-2005 by Radim HSN Kolar ([EMAIL PROTECTED])
You may copy or modify this file in any manner you wish, provided
that this notice is always included, and that you hold the author
@@ -138,6 +142,12 @@
unsigned int pos; /* position of next packet */
} FSP_FILE;
+
+typedef union dirent_workaround {
+ struct dirent dirent;
+ char fill[offsetof (struct dirent, d_name) + MAXNAMLEN + 1];
+} dirent_workaround;
+
/* function prototypes */
/* session management */
