Package: pure-ftpd / 1.0.49-4.1

CVE-2019-20176.diff Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
commit aea56f4bcb9948d456f3fae4d044fd3fa2e19706
Author: Frank Denis <github@pureftpd.org>
Date:   Mon Dec 30 17:40:04 2019 +0100

    listdir(): reuse a single buffer to store every file name to display
    
    Allocating a new buffer for each entry is useless.
    
    And as these buffers are allocated on the stack, on systems with a
    small stack size, with many entries, the limit can easily be reached,
    causing a stack exhaustion and aborting the user session.
    
    Reported by Antonio Morales from the GitHub Security Lab team, thanks!

diff --git a/src/ls.c b/src/ls.c
index cf804c7..f8a588f 100644
--- a/src/ls.c
+++ b/src/ls.c
@@ -661,6 +661,8 @@ static void listdir(unsigned int depth, int f, void * const tls_fd,
     char *names;
     PureFileInfo *s;
     PureFileInfo *r;
+    char *alloca_subdir;
+    size_t sizeof_subdir;
     int d;
 
     if (depth >= max_ls_depth || matches >= max_ls_files) {
@@ -690,14 +692,12 @@ static void listdir(unsigned int depth, int f, void * const tls_fd,
     }
     outputfiles(f, tls_fd);
     r = dir;
+    sizeof_subdir = PATH_MAX + 1U;
+    if ((alloca_subdir = ALLOCA(sizeof_subdir)) == NULL) {
+        goto toomany;
+    }
     while (opt_R && r != s) {
         if (r->name_offset != (size_t) -1 && !chdir(FI_NAME(r))) {
-            char *alloca_subdir;
-            const size_t sizeof_subdir = PATH_MAX + 1U;
-
-            if ((alloca_subdir = ALLOCA(sizeof_subdir)) == NULL) {
-                goto toomany;
-            }
             if (SNCHECK(snprintf(alloca_subdir, sizeof_subdir, "%s/%s",
                                  name, FI_NAME(r)), sizeof_subdir)) {
                 goto nolist;
@@ -706,8 +706,8 @@ static void listdir(unsigned int depth, int f, void * const tls_fd,
             wrstr(f, tls_fd, alloca_subdir);
             wrstr(f, tls_fd, ":\r\n\r\n");
             listdir(depth + 1U, f, tls_fd, alloca_subdir);
+
             nolist:
-            ALLOCA_FREE(alloca_subdir);
             if (matches >= max_ls_files) {
                 goto toomany;
             }
@@ -720,6 +720,7 @@ static void listdir(unsigned int depth, int f, void * const tls_fd,
         r++;
     }
     toomany:
+    ALLOCA_FREE(alloca_subdir);
     free(names);
     free(dir);
     names = NULL;