summaryrefslogtreecommitdiffstats
path: root/meta-networking
diff options
context:
space:
mode:
authorHongxu Jia <hongxu.jia@windriver.com>2014-09-02 11:24:17 +0800
committerMartin Jansa <Martin.Jansa@gmail.com>2014-09-26 05:41:52 +0200
commitaf971abbf0657ec40bb8d8d4516c077c76d52dd0 (patch)
treeb62df7883ce96f699bef9c70e2b3ad38c5f021dd /meta-networking
parent61b5d70f8fa96b076ee1635b7fd0c9a5c0875494 (diff)
downloadmeta-openembedded-af971abbf0657ec40bb8d8d4516c077c76d52dd0.tar.gz
proftpd: fix integer overflow CVE-2013-4359
Integrate a patch from proftpd upstream to fix an integer overflow bug described in the CVE-2013-4359, which allows remote attachers to cause a denial of service (memory consumption) attack. Refer: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4359 Signed-off-by: Shan Hai <shan.hai@windriver.com> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Diffstat (limited to 'meta-networking')
-rw-r--r--meta-networking/recipes-daemons/proftpd/files/proftpd-sftp.patch142
-rw-r--r--meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb3
2 files changed, 144 insertions, 1 deletions
diff --git a/meta-networking/recipes-daemons/proftpd/files/proftpd-sftp.patch b/meta-networking/recipes-daemons/proftpd/files/proftpd-sftp.patch
new file mode 100644
index 000000000..8c71263b0
--- /dev/null
+++ b/meta-networking/recipes-daemons/proftpd/files/proftpd-sftp.patch
@@ -0,0 +1,142 @@
1proftpd/mod_sftp: fix too much memory allocation bug of mod_sftp
2
3This patch fixes the too much memory allocation bug of the mod_sftp by
4ensuring both that a) the received response count matches the number of
5challenges sent, and b) that the received response count is not too high
6(as an additional sanity check); the upper bound is still set to 500.
7
8The patch is picked from: http://bugs.proftpd.org/show_bug.cgi?id=3973
9
10Upstream-Status: Backport CVE-2013-4359
11
12diff --git a/contrib/mod_sftp/kbdint.c b/contrib/mod_sftp/kbdint.c
13index 0271fb2..de651fa 100644
14--- a/contrib/mod_sftp/kbdint.c
15+++ b/contrib/mod_sftp/kbdint.c
16@@ -1,6 +1,6 @@
17 /*
18 * ProFTPD - mod_sftp keyboard-interactive driver mgmt
19- * Copyright (c) 2008-2009 TJ Saunders
20+ * Copyright (c) 2008-2013 TJ Saunders
21 *
22 * This program is free software; you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License as published by
24@@ -31,6 +31,8 @@
25 #include "utf8.h"
26 #include "kbdint.h"
27
28+#define SFTP_KBDINT_MAX_RESPONSES 500
29+
30 struct kbdint_driver {
31 struct kbdint_driver *next, *prev;
32
33@@ -252,8 +254,8 @@ int sftp_kbdint_send_challenge(const char *user, const char *instruction,
34 return res;
35 }
36
37-int sftp_kbdint_recv_response(pool *p, unsigned int *count,
38- const char ***responses) {
39+int sftp_kbdint_recv_response(pool *p, unsigned int expected_count,
40+ unsigned int *rcvd_count, const char ***responses) {
41 register unsigned int i;
42 char *buf;
43 cmd_rec *cmd;
44@@ -264,7 +266,7 @@ int sftp_kbdint_recv_response(pool *p, unsigned int *count,
45 int res;
46
47 if (p == NULL ||
48- count == NULL ||
49+ rcvd_count == NULL ||
50 responses == NULL) {
51 errno = EINVAL;
52 return -1;
53@@ -299,6 +301,29 @@ int sftp_kbdint_recv_response(pool *p, unsigned int *count,
54
55 resp_count = sftp_msg_read_int(pkt->pool, &buf, &buflen);
56
57+ /* Ensure that the number of responses sent by the client is the same
58+ * as the number of challenges sent, lest a malicious client attempt to
59+ * trick us into allocating too much memory (Bug#3973).
60+ */
61+ if (resp_count != expected_count) {
62+ (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
63+ "sent %lu %s, but received %lu %s", (unsigned long) expected_count,
64+ expected_count != 1 ? "challenges" : "challenge",
65+ (unsigned long) resp_count, resp_count != 1 ? "responses" : "response");
66+ destroy_pool(pkt->pool);
67+ errno = EPERM;
68+ return -1;
69+ }
70+
71+ if (resp_count > SFTP_KBDINT_MAX_RESPONSES) {
72+ (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
73+ "received too many responses (%lu > max %lu), rejecting",
74+ (unsigned long) resp_count, (unsigned long) SFTP_KBDINT_MAX_RESPONSES);
75+ destroy_pool(pkt->pool);
76+ errno = EPERM;
77+ return -1;
78+ }
79+
80 list = make_array(p, resp_count, sizeof(char *));
81 for (i = 0; i < resp_count; i++) {
82 char *resp;
83@@ -307,7 +332,7 @@ int sftp_kbdint_recv_response(pool *p, unsigned int *count,
84 *((char **) push_array(list)) = pstrdup(p, sftp_utf8_decode_str(p, resp));
85 }
86
87- *count = (unsigned int) resp_count;
88+ *rcvd_count = (unsigned int) resp_count;
89 *responses = ((const char **) list->elts);
90 return 0;
91 }
92diff --git a/contrib/mod_sftp/mod_sftp.h.in b/contrib/mod_sftp/mod_sftp.h.in
93index 3e91390..c547be0 100644
94--- a/contrib/mod_sftp/mod_sftp.h.in
95+++ b/contrib/mod_sftp/mod_sftp.h.in
96@@ -1,6 +1,6 @@
97 /*
98 * ProFTPD - mod_sftp
99- * Copyright (c) 2008-2011 TJ Saunders
100+ * Copyright (c) 2008-2013 TJ Saunders
101 *
102 * This program is free software; you can redistribute it and/or modify
103 * it under the terms of the GNU General Public License as published by
104@@ -174,7 +174,8 @@ int sftp_kbdint_register_driver(const char *name, sftp_kbdint_driver_t *driver);
105 int sftp_kbdint_unregister_driver(const char *name);
106 int sftp_kbdint_send_challenge(const char *, const char *, unsigned int,
107 sftp_kbdint_challenge_t *);
108-int sftp_kbdint_recv_response(pool *, unsigned int *, const char ***);
109+int sftp_kbdint_recv_response(pool *, unsigned int, unsigned int *,
110+ const char ***);
111
112 /* API for modules that which to register keystores, for the
113 * SFTPAuthorizedHostKeys and SFTPAuthorizedUserKeys directives.
114diff --git a/contrib/mod_sftp_pam.c b/contrib/mod_sftp_pam.c
115index 6c32df0..81aa113 100644
116--- a/contrib/mod_sftp_pam.c
117+++ b/contrib/mod_sftp_pam.c
118@@ -179,22 +179,13 @@ static int sftppam_converse(int nmsgs, PR_PAM_CONST struct pam_message **msgs,
119 return PAM_CONV_ERR;
120 }
121
122- if (sftp_kbdint_recv_response(sftppam_driver.driver_pool, &recvd_count,
123- &recvd_responses) < 0) {
124+ if (sftp_kbdint_recv_response(sftppam_driver.driver_pool, list->nelts,
125+ &recvd_count, &recvd_responses) < 0) {
126 pr_trace_msg(trace_channel, 3,
127 "error receiving keyboard-interactive responses: %s", strerror(errno));
128 return PAM_CONV_ERR;
129 }
130
131- /* Make sure that the count of responses matches the challenge count. */
132- if (recvd_count != list->nelts) {
133- (void) pr_log_writefile(sftp_logfd, MOD_SFTP_PAM_VERSION,
134- "sent %d %s, but received %u %s", nmsgs,
135- list->nelts != 1 ? "challenges" : "challenge", recvd_count,
136- recvd_count != 1 ? "responses" : "response");
137- return PAM_CONV_ERR;
138- }
139-
140 res = calloc(nmsgs, sizeof(struct pam_response));
141 if (res == NULL) {
142 pr_log_pri(PR_LOG_CRIT, "Out of memory!");
diff --git a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb
index 4d2fcd725..a5e766af5 100644
--- a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb
+++ b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.4b.bb
@@ -4,7 +4,7 @@ HOMEPAGE = "http://www.proftpd.org"
4LICENSE = "GPLv2+" 4LICENSE = "GPLv2+"
5LIC_FILES_CHKSUM = "file://COPYING;md5=fb0d1484d11915fa88a6a7702f1dc184" 5LIC_FILES_CHKSUM = "file://COPYING;md5=fb0d1484d11915fa88a6a7702f1dc184"
6 6
7PR = "r3" 7PR = "r4"
8 8
9SRC_URI = "ftp://ftp.proftpd.org/distrib/source/${BPN}-${PV}.tar.gz \ 9SRC_URI = "ftp://ftp.proftpd.org/distrib/source/${BPN}-${PV}.tar.gz \
10 file://make.patch \ 10 file://make.patch \
@@ -15,6 +15,7 @@ SRC_URI = "ftp://ftp.proftpd.org/distrib/source/${BPN}-${PV}.tar.gz \
15 file://move-pidfile-to-var-run.patch \ 15 file://move-pidfile-to-var-run.patch \
16 file://close-RequireValidShell-check.patch \ 16 file://close-RequireValidShell-check.patch \
17 file://move-runfile-to-var-run.patch \ 17 file://move-runfile-to-var-run.patch \
18 file://proftpd-sftp.patch \
18" 19"
19 20
20SRC_URI[md5sum] = "0871e0b93c9c3c88ca950b6d9a04aed2" 21SRC_URI[md5sum] = "0871e0b93c9c3c88ca950b6d9a04aed2"