March 12, 2020

GHSL-2020-001: Off-by-one heap overflow in Bftpd

Antonio Morales

Summary

Under certain circumstances, an off-by-one heap overflow can occur in the command_retr function.

Product

Bftpd

Tested Version

Bftpd 5.3

Details

Multiple int-to-bool casting vulnerabilities, leading to heap overflow

The command_retr function in commands.c executes while ((i = read(phile, buffer, my_buffer_size))), but under certain circumstances read can return -1.

In this case, the problem is that the while condition will be evaluated as true because in the C programming language all non-zero values are considered true.

As a result, an off-by-one out of bounds write into heap memory will be triggered when buffer[-1] = '\0' is executed.

This is a medium-low severity vulnerability.

Impact

Heap memory corruption with a single nul byte.

Coordinated Disclosure Timeline

This report was subject to our coordinated disclosure policy.

  • 01/09/2020: Report sent to Vendor
  • 01/09/2020: Vendor acknowledged report
  • 01/10/2020: Vendor published fix

Supporting Resources

Credit

This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-YEAR-ID in any communication regarding this issue.