skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
March 12, 2020

GHSL-2020-001: Off-by-one heap overflow in Bftpd

Antonio Morales


Under certain circumstances, an off-by-one heap overflow can occur in the command_retr function.



Tested Version

Bftpd 5.3


Multiple int-to-bool casting vulnerabilities, leading to heap overflow

The command_retr function in commands.c executes while ((i = read(phile, buffer, my_buffer_size))), but under certain circumstances read can return -1.

In this case, the problem is that the while condition will be evaluated as true because in the C programming language all non-zero values are considered true.

As a result, an off-by-one out of bounds write into heap memory will be triggered when buffer[-1] = '\0' is executed.

This is a medium-low severity vulnerability.


Heap memory corruption with a single nul byte.

Coordinated Disclosure Timeline

This report was subject to our coordinated disclosure policy.

Supporting Resources


This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).


You can contact the GHSL team at, please include the GHSL-YEAR-ID in any communication regarding this issue.