Bug 240550 - vsftpd has a create/lock race condition which corrupts uploads
Summary: vsftpd has a create/lock race condition which corrupts uploads
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: vsftpd (Show other bugs)
(Show other bugs)
Version: 4.5
Hardware: All Linux
Target Milestone: ---
: ---
Assignee: Martin Nagy
QA Contact:
Keywords: Patch
Depends On:
TreeView+ depends on / blocked
Reported: 2007-05-18 12:55 UTC by Martin Poole
Modified: 2018-10-19 18:36 UTC (History)
4 users (show)

Fixed In Version: RHSA-2008-0680
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-07-24 19:34:52 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
patch to handle write race condition on simultaneous upload (1.55 KB, patch)
2007-05-18 12:55 UTC, Martin Poole
no flags Details | Diff
new patch to handle write race condition (2.20 KB, patch)
2007-11-29 08:33 UTC, Martin Nagy
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0680 normal SHIPPED_LIVE Moderate: vsftpd security and bug fix update 2008-07-24 16:38:54 UTC

Description Martin Poole 2007-05-18 12:55:17 UTC
Description of problem:

There is a race condition in the open/lock code which is triggered when two
clients upload to the same file. The lock is only obtained after the file is
opened and in the case of the second client to causes the client to hang until
the first client completes. The problem is that both opens are performed with
O_TRUNC | O_APPEND which in the second client's case truncates the first
client's progress to that point. Once the first client completes and releases
the lock the second client then appends to whatever the first client uploaded
after the second client performed the open.  This results in a file which is
neither one thing nor the other.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Simultaneously upload different files from 2 clients to same file on server
Actual results:

Uploaded file is combination of tail of first client + second file.

Expected results:

One or the other file.

Additional info:

best reproduced by using large files or limiting upload rate.

Comment 1 Martin Poole 2007-05-18 12:55:19 UTC
Created attachment 154992 [details]
patch to handle write race condition on simultaneous upload

Comment 2 RHEL Product and Program Management 2007-11-29 04:20:06 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update

Comment 3 Martin Nagy 2007-11-29 08:33:51 UTC
Created attachment 272551 [details]
new patch to handle write race condition

This patch also respects read lock on the file that is being overwritten.

Comment 4 Michal Nowak 2007-11-30 09:21:18 UTC
Use RHTS test case
for testing.

Comment 5 Martin Nagy 2007-11-30 09:31:05 UTC
Forgot that vsftpd-2.0.1 doesn't support locking.

Comment 6 Martin Nagy 2007-12-04 12:32:04 UTC
Fixed in fedora/rawhide (vsftpd-2.0.5-21.fc9).

Comment 8 Martin Nagy 2008-02-08 10:50:34 UTC
Fix checked in CVS and the new packages were built successfully. This issue
should be resolved in vsftpd-2.0.1-6.el4

Comment 12 errata-xmlrpc 2008-07-24 19:34:52 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.