Bug 1311602

Summary: vsftpd segfaults in vsf_sysutil_strndup .
Product: [Fedora] Fedora Reporter: Tomáš Hozza <thozza>
Component: vsftpdAssignee: Martin Sehnoutka <msehnout>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: jaskalnik, mnagy, mosvald, thozza
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: vsftpd-3.0.3-2.fc23 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1222386 Environment:
Last Closed: 2016-07-12 23:53:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomáš Hozza 2016-02-24 15:00:19 UTC 
+++ This bug was initially created as a clone of Bug #1222386 +++

Description of problem:
Vsftpd crashes while parsing the conf


Version-Release number of selected component (if applicable):
latest


Actual results:

vsftpd crahes
Expected results:

vsftpd should not crash
Additional info:

--- Additional comment from Susant Sahani on 2015-05-18 08:16:59 CEST ---

(gdb) bt
#0  vsf_sysutil_strndup (p_str=0x7f99431e3311 "", p_len=4294967295) at sysutil.c:1056
#1  0x00007f994191544c in vsf_parseconf_load_setting (p_setting=<value optimized out>, errs_fatal=<value optimized out>) at parseconf.c:280
#2  0x00007f99419156ab in vsf_parseconf_load_file (p_filename=<value optimized out>, errs_fatal=1) at parseconf.c:243
#3  0x00007f994190b138 in main (argc=2, argv=0x7fff18596218) at main.c:93
(gdb) f 0
#0  vsf_sysutil_strndup (p_str=0x7f99431e3311 "", p_len=4294967295) at sysutil.c:1056
1056	  new[p_len]='\0';
(gdb) p  new[p_len]
Cannot access memory at address 0x7f9a431e324f <========= crashing because of bad/corrupt address.
(gdb) p new
$1 = 0x7f99431e3250 ""

--- Additional comment from Susant Sahani on 2015-05-18 09:57:39 CEST ---

This crashing because the parser is not able to interpret that nothing after this conf value.

~~~
ftpd_banner=
~~~

and a tab space after the '='
Comment 1 Fedora Admin XMLRPC Client 2016-03-03 13:30:59 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 2 Martin Sehnoutka 2016-04-14 08:41:48 UTC 
Fixed in:
vsftpd-3.0.3-2.fc23

Patch:
http://pkgs.fedoraproject.org/cgit/rpms/vsftpd.git/diff/vsftpd-2.2.2-blank-chars-overflow.patch?h=f23
Comment 3 Fedora Update System 2016-04-14 08:45:00 UTC 
vsftpd-3.0.3-2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-61c40f55a7
Comment 4 Fedora Update System 2016-04-16 19:26:25 UTC 
vsftpd-3.0.3-2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-61c40f55a7
Comment 5 Fedora Update System 2016-07-12 23:53:40 UTC 
vsftpd-3.0.3-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.