Bug#620453: marked as done (muddleftpd: memory errors from valgrind)

Sun, 27 Nov 2016 15:54:50 -0800 

Your message dated Sun, 27 Nov 2016 23:50:52 +0000
with message-id <[email protected]>
and subject line Bug#845918: Removed package(s) from unstable
has caused the Debian Bug report #620453,
regarding muddleftpd: memory errors from valgrind
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
620453: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=620453
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: muddleftpd
Version: 1.3.13.1-4.2
Tags: security

Fixes crashes experienced on an ubuntu system with the same version
muddle, as well as some invalid memory accesses/potential crashes from
valgrind, and tidies up compiler warnings.

I've annotatted the first few diff fragments.

time() returns type time_t, which can be (is) bigger than int, causing
ctime() to return NULL, and the attempted newline-truncation to crash: 
--- muddleftpd-1.3.13.1.orig/src/logger.c
+++ muddleftpd-1.3.13.1/src/logger.c
@@ -34,8 +34,8 @@
 {
        if ((logoutfd != -1) && (((logoutmask) & type) == type))
        {
-               int currenttime = time(NULL);
-               int outlen,i;
+               time_t currenttime = time(NULL);
+               int outlen;
                char *timestr = ctime((time_t *)&currenttime);
                char *outstring;
 

Munging moddir here causes file_glob to get dirlen=0, then accesses
pdir[-1].
--- muddleftpd-1.3.13.1.orig/src/dir.c
+++ muddleftpd-1.3.13.1/src/dir.c
@@ -68,8 +68,8 @@
        moddir = *pwd + strlen(peer->basedir);
        
        /* if the directory is /, set it to nothing */
-       if (moddir[1] == 0)
-               moddir[0] = 0;
+       //if (moddir[1] == 0)
+               //moddir[0] = 0;
                
        if (newdir[0] == '/')           /* absolute filename */
        {


Neither username nor group are guaranteed to have >8 bytes allocated:
--- muddleftpd-1.3.13.1.orig/src/ftplist.c
+++ muddleftpd-1.3.13.1/src/ftplist.c
@@ -108,7 +108,9 @@
                
                        strcache_add(uidcache, (int)fileinfo->st_uid, 
username);        
                }
-               username[8] = 0;
+
+               if (strlen(username)>6)
+                       username[8] = 0;
                        
                /* do group */          
                if (peer->fakegroup)
@@ -124,7 +126,9 @@
                        
                        strcache_add(gidcache, (int)fileinfo->st_gid, group);
                }
-               group[8] = 0;
+
+               if (strlen(group)>6)
+                       group[8] = 0;
 
                /* Do symbolic links */
                if (permissions[0] == 'l') 

netmask was not being set, since the scanf in getnetworkint never
matched, and was probably acting as "/0" and allowing all hosts, or
otherwise using some random value.  This should ideally verify that
the netmask is "partitioned", with all set bits followed by all clear
bits:
--- muddleftpd-1.3.13.1.orig/src/checkip.c
+++ muddleftpd-1.3.13.1/src/checkip.c
@@ -14,6 +14,7 @@
    along with this program; if not, write to the Free Software
    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.  */
 
+#include <limits.h>
 #include "ftpd.h"
 
 int checknamelist(CONFIGFILECACHE *cf, int section, char *username)
@@ -86,7 +87,16 @@
                                *netmask = 0;
                                netmask++;
                                getnetworkint(ipaddr, 
&(new->list[new->count].ipaddr));
-                               getnetworkint(netmask, 
&(new->list[new->count].netmask));
+
+                               long res;
+                               char *end;
+                               errno=0;
+                               res=strtol(netmask, &end, 10);
+                               if ( 
(errno==ERANGE&&(res=LONG_MIN||res==LONG_MAX)) || end!=netmask+strlen(netmask) 
|| end==netmask) {
+                                       ERRORMSGFATAL(safe_snprintf("Bad IP 
mask: %s", netmask));
+                               }
+
+                               new->list[new->count].netmask=res;
                                new->list[new->count].fnstr = NULL;
                                freewrapper(settingt);
                                new->list[new->count].type = 2;

--- muddleftpd-1.3.13.1.orig/src/auth.c
+++ muddleftpd-1.3.13.1/src/auth.c
@@ -313,8 +313,11 @@
                pwdent = getpwnam(data);
                if (pwdent)
                        peer->uidt_asuid = pwdent->pw_uid;
-               else
+               else {
+// XXX: this should fail, or at least log a warning, if the specified
+// gid is neither (leading) numeric or exists in etc/passwd
                        peer->uidt_asuid = config->uidt_nobodyuid;
+               }
        }
        else
        {

--- muddleftpd-1.3.13.1.orig/src/procnum.c
+++ muddleftpd-1.3.13.1/src/procnum.c
@@ -506,7 +506,7 @@
 int shinfo_adduser_inetd(unsigned int ip, int slimit, int iplimit, int *error)
 {
        SCRFILEREC d;
-       int scount, ipcount, pos, full;
+       int scount, ipcount=0, pos, full;
        
        /* we are running inetd. go through scratch file, find an
           empty record, and count space in file. */

Allocation of one too many bytes.
--- muddleftpd-1.3.13.1.orig/src/utils.c
+++ muddleftpd-1.3.13.1/src/utils.c
@@ -81,7 +81,7 @@
        
        assert(s != NULL);
        
-       outstr = malloc(strlen(s) + 2);
+       outstr = malloc(strlen(s) + 1);
        
        if (outstr == NULL)
                ERRORMSGFATAL("strdup error, out of memory");

--- muddleftpd-1.3.13.1.orig/src/version.c
+++ muddleftpd-1.3.13.1/src/version.c
@@ -16,6 +16,7 @@
 
 #include "../defaults.h"
 #include <stdio.h>
+#include <stdlib.h>
 
 void showversion(char *desc)
 {

--- muddleftpd-1.3.13.1.orig/src/socket.c
+++ muddleftpd-1.3.13.1/src/socket.c
@@ -100,8 +100,8 @@
                pos = 0;
                while (server[pos] != 0)
                {
-                       if (server[pos] == 46)
-                               buffertmp[pos] = 65;
+                       if (server[pos] == 46) // dotted-quad octet separator
+                               buffertmp[pos] = 65; // capital "A" flag, see 
sscanf below
                        else
                                buffertmp[pos] = server[pos];
                        pos = pos + 1;
only in patch2:
unchanged:

--- muddleftpd-1.3.13.1.orig/modules/auth/authlibmud/auth.h
+++ muddleftpd-1.3.13.1/modules/auth/authlibmud/auth.h
@@ -20,6 +20,7 @@
 #include <unistd.h>
 #include <sys/types.h>
 #include <stdarg.h>
+#include "../../../config.h"
 
 #ifndef INT_MAX
 #define INT_MAX 0x7FFFFFFF

--- muddleftpd-1.3.13.1.orig/modules/auth/authlibmud/authmud.c
+++ muddleftpd-1.3.13.1/modules/auth/authlibmud/authmud.c
@@ -14,7 +14,7 @@
    along with this program; if not, write to the Free Software
    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.  */
 
-#include "config.h"
+#include <string.h>
 #include "auth.h"
 
 /* This file contains code to autheticate for mud users */
--- muddleftpd-1.3.13.1.orig/modules/auth/authlibsmb/smbval/smblib-util.c
+++ muddleftpd-1.3.13.1/modules/auth/authlibsmb/smbval/smblib-util.c
@@ -25,6 +25,7 @@
 
 #include "smblib-priv.h"
 #include <malloc.h>
+#include <string.h>
 
 #include "rfcnb.h"
 
--- muddleftpd-1.3.13.1.orig/modules/auth/authlibsmb/smbval/session.c
+++ muddleftpd-1.3.13.1/modules/auth/authlibsmb/smbval/session.c
@@ -25,6 +25,7 @@
 
 #include <malloc.h>
 #include <string.h>
+#include <stdlib.h>
 
 int RFCNB_errno = 0;
 int RFCNB_saved_errno = 0;
--- muddleftpd-1.3.13.1.orig/modules/auth/authlibsmb/smbval/smbencrypt.c
+++ muddleftpd-1.3.13.1/modules/auth/authlibsmb/smbval/smbencrypt.c
@@ -26,6 +26,7 @@
 #include <string.h>
 #include <sys/vfs.h>
 #include <netinet/in.h>
+#include <ctype.h>
 
 #include "smblib-priv.h"
 #define uchar unsigned char
--- muddleftpd-1.3.13.1.orig/modules/auth/authlibsmb/smbval/rfcnb-util.c
+++ muddleftpd-1.3.13.1/modules/auth/authlibsmb/smbval/rfcnb-util.c
@@ -26,6 +26,10 @@
 #include <string.h>
 #include <malloc.h>
 
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
 #include "std-includes.h"
 #include "rfcnb-priv.h"
 #include "rfcnb-util.h"

diff -u muddleftpd-1.3.13.1/modules/auth/authlibsmb/smbval/smblib.c 
muddleftpd-1.3.13.1/modules/auth/authlibsmb/smbval/smblib.c
--- muddleftpd-1.3.13.1/modules/auth/authlibsmb/smbval/smblib.c
+++ muddleftpd-1.3.13.1/modules/auth/authlibsmb/smbval/smblib.c
@@ -26,6 +26,7 @@
 #include "../config.h"
 #include <malloc.h>
 #include <string.h>
+#include <ctype.h>
 
 int SMBlib_errno;
 int SMBlib_SMB_Error;

--- muddleftpd-1.3.13.1.orig/src/ftpd.h
+++ muddleftpd-1.3.13.1/src/ftpd.h
@@ -515,6 +515,7 @@
 
 /* utils.h */
 
+void fd_closeall_nonterminal(void);
 void *mallocwrapper(int size);
 void reallocwrapper(int size, void **inarea);
 char *strdupwrapper(char *s);

--- End Message ---
--- Begin Message --- 
Version: 1.3.13.1-4.3+rm

Dear submitter,

as the package muddleftpd has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/845918

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
[email protected].

Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)

--- End Message ---

Reply via email to