Package: muddleftpd
Version: 1.3.13.1-4.2
Tags: security
Fixes crashes experienced on an ubuntu system with the same version
muddle, as well as some invalid memory accesses/potential crashes from
valgrind, and tidies up compiler warnings.
I've annotatted the first few diff fragments.
time() returns type time_t, which can be (is) bigger than int, causing
ctime() to return NULL, and the attempted newline-truncation to crash:
--- muddleftpd-1.3.13.1.orig/src/logger.c
+++ muddleftpd-1.3.13.1/src/logger.c
@@ -34,8 +34,8 @@
{
if ((logoutfd != -1) && (((logoutmask) & type) == type))
{
- int currenttime = time(NULL);
- int outlen,i;
+ time_t currenttime = time(NULL);
+ int outlen;
char *timestr = ctime((time_t *)¤ttime);
char *outstring;
Munging moddir here causes file_glob to get dirlen=0, then accesses
pdir[-1].
--- muddleftpd-1.3.13.1.orig/src/dir.c
+++ muddleftpd-1.3.13.1/src/dir.c
@@ -68,8 +68,8 @@
moddir = *pwd + strlen(peer->basedir);
/* if the directory is /, set it to nothing */
- if (moddir[1] == 0)
- moddir[0] = 0;
+ //if (moddir[1] == 0)
+ //moddir[0] = 0;
if (newdir[0] == '/') /* absolute filename */
{
Neither username nor group are guaranteed to have >8 bytes allocated:
--- muddleftpd-1.3.13.1.orig/src/ftplist.c
+++ muddleftpd-1.3.13.1/src/ftplist.c
@@ -108,7 +108,9 @@
strcache_add(uidcache, (int)fileinfo->st_uid,
username);
}
- username[8] = 0;
+
+ if (strlen(username)>6)
+ username[8] = 0;
/* do group */
if (peer->fakegroup)
@@ -124,7 +126,9 @@
strcache_add(gidcache, (int)fileinfo->st_gid, group);
}
- group[8] = 0;
+
+ if (strlen(group)>6)
+ group[8] = 0;
/* Do symbolic links */
if (permissions[0] == 'l')
netmask was not being set, since the scanf in getnetworkint never
matched, and was probably acting as "/0" and allowing all hosts, or
otherwise using some random value. This should ideally verify that
the netmask is "partitioned", with all set bits followed by all clear
bits:
--- muddleftpd-1.3.13.1.orig/src/checkip.c
+++ muddleftpd-1.3.13.1/src/checkip.c
@@ -14,6 +14,7 @@
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */
+#include <limits.h>
#include "ftpd.h"
int checknamelist(CONFIGFILECACHE *cf, int section, char *username)
@@ -86,7 +87,16 @@
*netmask = 0;
netmask++;
getnetworkint(ipaddr,
&(new->list[new->count].ipaddr));
- getnetworkint(netmask,
&(new->list[new->count].netmask));
+
+ long res;
+ char *end;
+ errno=0;
+ res=strtol(netmask, &end, 10);
+ if (
(errno==ERANGE&&(res=LONG_MIN||res==LONG_MAX)) || end!=netmask+strlen(netmask)
|| end==netmask) {
+ ERRORMSGFATAL(safe_snprintf("Bad IP
mask: %s", netmask));
+ }
+
+ new->list[new->count].netmask=res;
new->list[new->count].fnstr = NULL;
freewrapper(settingt);
new->list[new->count].type = 2;
--- muddleftpd-1.3.13.1.orig/src/auth.c
+++ muddleftpd-1.3.13.1/src/auth.c
@@ -313,8 +313,11 @@
pwdent = getpwnam(data);
if (pwdent)
peer->uidt_asuid = pwdent->pw_uid;
- else
+ else {
+// XXX: this should fail, or at least log a warning, if the specified
+// gid is neither (leading) numeric or exists in etc/passwd
peer->uidt_asuid = config->uidt_nobodyuid;
+ }
}
else
{
--- muddleftpd-1.3.13.1.orig/src/procnum.c
+++ muddleftpd-1.3.13.1/src/procnum.c
@@ -506,7 +506,7 @@
int shinfo_adduser_inetd(unsigned int ip, int slimit, int iplimit, int *error)
{
SCRFILEREC d;
- int scount, ipcount, pos, full;
+ int scount, ipcount=0, pos, full;
/* we are running inetd. go through scratch file, find an
empty record, and count space in file. */
Allocation of one too many bytes.
--- muddleftpd-1.3.13.1.orig/src/utils.c
+++ muddleftpd-1.3.13.1/src/utils.c
@@ -81,7 +81,7 @@
assert(s != NULL);
- outstr = malloc(strlen(s) + 2);
+ outstr = malloc(strlen(s) + 1);
if (outstr == NULL)
ERRORMSGFATAL("strdup error, out of memory");
--- muddleftpd-1.3.13.1.orig/src/version.c
+++ muddleftpd-1.3.13.1/src/version.c
@@ -16,6 +16,7 @@
#include "../defaults.h"
#include <stdio.h>
+#include <stdlib.h>
void showversion(char *desc)
{
--- muddleftpd-1.3.13.1.orig/src/socket.c
+++ muddleftpd-1.3.13.1/src/socket.c
@@ -100,8 +100,8 @@
pos = 0;
while (server[pos] != 0)
{
- if (server[pos] == 46)
- buffertmp[pos] = 65;
+ if (server[pos] == 46) // dotted-quad octet separator
+ buffertmp[pos] = 65; // capital "A" flag, see
sscanf below
else
buffertmp[pos] = server[pos];
pos = pos + 1;
only in patch2:
unchanged:
--- muddleftpd-1.3.13.1.orig/modules/auth/authlibmud/auth.h
+++ muddleftpd-1.3.13.1/modules/auth/authlibmud/auth.h
@@ -20,6 +20,7 @@
#include <unistd.h>
#include <sys/types.h>
#include <stdarg.h>
+#include "../../../config.h"
#ifndef INT_MAX
#define INT_MAX 0x7FFFFFFF
--- muddleftpd-1.3.13.1.orig/modules/auth/authlibmud/authmud.c
+++ muddleftpd-1.3.13.1/modules/auth/authlibmud/authmud.c
@@ -14,7 +14,7 @@
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */
-#include "config.h"
+#include <string.h>
#include "auth.h"
/* This file contains code to autheticate for mud users */
--- muddleftpd-1.3.13.1.orig/modules/auth/authlibsmb/smbval/smblib-util.c
+++ muddleftpd-1.3.13.1/modules/auth/authlibsmb/smbval/smblib-util.c
@@ -25,6 +25,7 @@
#include "smblib-priv.h"
#include <malloc.h>
+#include <string.h>
#include "rfcnb.h"
--- muddleftpd-1.3.13.1.orig/modules/auth/authlibsmb/smbval/session.c
+++ muddleftpd-1.3.13.1/modules/auth/authlibsmb/smbval/session.c
@@ -25,6 +25,7 @@
#include <malloc.h>
#include <string.h>
+#include <stdlib.h>
int RFCNB_errno = 0;
int RFCNB_saved_errno = 0;
--- muddleftpd-1.3.13.1.orig/modules/auth/authlibsmb/smbval/smbencrypt.c
+++ muddleftpd-1.3.13.1/modules/auth/authlibsmb/smbval/smbencrypt.c
@@ -26,6 +26,7 @@
#include <string.h>
#include <sys/vfs.h>
#include <netinet/in.h>
+#include <ctype.h>
#include "smblib-priv.h"
#define uchar unsigned char
--- muddleftpd-1.3.13.1.orig/modules/auth/authlibsmb/smbval/rfcnb-util.c
+++ muddleftpd-1.3.13.1/modules/auth/authlibsmb/smbval/rfcnb-util.c
@@ -26,6 +26,10 @@
#include <string.h>
#include <malloc.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
#include "std-includes.h"
#include "rfcnb-priv.h"
#include "rfcnb-util.h"
diff -u muddleftpd-1.3.13.1/modules/auth/authlibsmb/smbval/smblib.c
muddleftpd-1.3.13.1/modules/auth/authlibsmb/smbval/smblib.c
--- muddleftpd-1.3.13.1/modules/auth/authlibsmb/smbval/smblib.c
+++ muddleftpd-1.3.13.1/modules/auth/authlibsmb/smbval/smblib.c
@@ -26,6 +26,7 @@
#include "../config.h"
#include <malloc.h>
#include <string.h>
+#include <ctype.h>
int SMBlib_errno;
int SMBlib_SMB_Error;
--- muddleftpd-1.3.13.1.orig/src/ftpd.h
+++ muddleftpd-1.3.13.1/src/ftpd.h
@@ -515,6 +515,7 @@
/* utils.h */
+void fd_closeall_nonterminal(void);
void *mallocwrapper(int size);
void reallocwrapper(int size, void **inarea);
char *strdupwrapper(char *s);
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
