Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-22551: Denial-of-service bug · Issue #8 · rovinbhandari/FTP

The FTP (aka “Implementation of a simple FTP client and server”) project through 96c1a35 allows remote attackers to cause a denial of service (memory consumption) by engaging in client activity, such as establishing and then terminating a connection. This occurs because malloc is used but free is not.

CVE
#linux#dos

How to reproduce

Using the prepared patch file reproduce.patch for better illustration.

patch -p1 < reproduce.patch

Compile

Start the server

./bin/server/server_ftp.out

Start the client to establish the connection and exit immediately

timeout 1s ./bin/client/client_ftp.out

Then, the server will crash with AddressSanitizer report:

=================================================================
==1199805==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 512 byte(s) in 1 object(s) allocated from:
    #0 0x55ec05154f7e in __interceptor_malloc (/root/projects/FTP/bin/server/server_ftp.out+0xa6f7e) (BuildId: 66b4d91f9c39c73e3399c16f9d667ddf369a1250)
    #1 0x55ec05192071 in serve_client /root/projects/FTP/server_ftp.c:53:41
    #2 0x55ec05191e28 in main /root/projects/FTP/server_ftp.c:40:2
    #3 0x7f6b1e895d09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09) (BuildId: b503275bf9fee51581fdceef97533b194035b4f7)

Direct leak of 8 byte(s) in 1 object(s) allocated from:
    #0 0x55ec05154f7e in __interceptor_malloc (/root/projects/FTP/bin/server/server_ftp.out+0xa6f7e) (BuildId: 66b4d91f9c39c73e3399c16f9d667ddf369a1250)
    #1 0x55ec0518f917 in client_info_alloc /root/projects/FTP/server_ftp_functions.c:7:49
    #2 0x55ec05191e15 in main /root/projects/FTP/server_ftp.c:39:27
    #3 0x7f6b1e895d09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09) (BuildId: b503275bf9fee51581fdceef97533b194035b4f7)

SUMMARY: AddressSanitizer: 520 byte(s) leaked in 2 allocation(s).

Bug analysis

The server use function serve_client to handle each connection from the client:

while(1)

{

if((x = sfd_client = accept(sfd_server, (struct sockaddr*) &sin_client, &size_sockaddr)) < 0)

er("accept()", x);

printf(ID "Communication started with %s:%d\n", inet_ntoa(sin_client.sin_addr), ntohs(sin_client.sin_port));

fflush(stdout);

struct client_info* ci = client_info_alloc(sfd_client, connection_id++);

serve_client(ci);

}

In the function serve_client, the memory allocated via malloc is never freed, causing memory leak.

struct packet* data = (struct packet*) malloc(size_packet);

This bug can cause denial-of-service.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda