skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
March 12, 2020

GHSL-2020-025: OOB read and DoS in PureFTPd

Antonio Morales


An uninitialized pointer vulnerability has been detected in PureFTPd which results in out-of-bounds (OOB) reads. It could also allow an attacker to trigger a Denial of Service against PureFTPD.



Tested Version

Development version - master branch (Feb 7, 2020)


Uninitialized pointer vulnerability in diraliases linked-list (CVE-2020-9274)

A vulnerability has been detected in the way PureFTPD processes its diraliases linked-list.

The source of the problem comes from the init_aliases function in diraliases.c See the code. In this function, the next member of the last item in the linked list is not set to NULL.

As a result, when the lookup_alias(const char *alias) or print_aliases(void) functions are called, they fail to correctly detect the end of the linked-list and try to access a non-existent list member.

PureFTPd ASAN build instructions

CC="clang" CXX="clang++" CFLAGS="-fsanitize=address -g -O0" CXXFLAGS="-fsanitize=address -g -O0" LDFLAGS="-fsanitize=address" ./configure --without-privsep --with-diraliases
make -j4

Steps to reproduce:

  1. Compile PureFTPD using ASAN as mentioned above. Note that you need to comment setrlimit(RLIMIT_DATA) to be able to use ASAN with PureFTPd (ASAN takes a lot of virtual memory) See the code
  2. Copy the provided alias configuration file into /[CONFDIR]/pureftpd-dir-aliases (usually /etc/pureftpd-dir-aliases)
  3. Run PureFTPD as root with the -S parameter
  4. Connect to the FTP server and log in with a valid user and password
  5. Send the SITE alias command
  6. PureFTPD should crash


This issue may lead to an OOB read and post-auth DoS.


Add tail->next = NULL for the last item of the linked list. Patch information can be found here

Coordinated Disclosure Timeline

This report is subject to our coordinated disclosure policy.

Supporting Resources


This issue was discovered and reported by GHSL team member @antonio-morales (Antonio Morales).


You can contact the GHSL team at, please include the GHSL-YEAR-ID in any communication regarding this issue.