Headline
CVE-2023-22551: Denial-of-service bug · Issue #8 · rovinbhandari/FTP
The FTP (aka “Implementation of a simple FTP client and server”) project through 96c1a35 allows remote attackers to cause a denial of service (memory consumption) by engaging in client activity, such as establishing and then terminating a connection. This occurs because malloc is used but free is not.
How to reproduce
Using the prepared patch file reproduce.patch for better illustration.
patch -p1 < reproduce.patch
Compile
Start the server
./bin/server/server_ftp.out
Start the client to establish the connection and exit immediately
timeout 1s ./bin/client/client_ftp.out
Then, the server will crash with AddressSanitizer report:
=================================================================
==1199805==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 512 byte(s) in 1 object(s) allocated from:
#0 0x55ec05154f7e in __interceptor_malloc (/root/projects/FTP/bin/server/server_ftp.out+0xa6f7e) (BuildId: 66b4d91f9c39c73e3399c16f9d667ddf369a1250)
#1 0x55ec05192071 in serve_client /root/projects/FTP/server_ftp.c:53:41
#2 0x55ec05191e28 in main /root/projects/FTP/server_ftp.c:40:2
#3 0x7f6b1e895d09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09) (BuildId: b503275bf9fee51581fdceef97533b194035b4f7)
Direct leak of 8 byte(s) in 1 object(s) allocated from:
#0 0x55ec05154f7e in __interceptor_malloc (/root/projects/FTP/bin/server/server_ftp.out+0xa6f7e) (BuildId: 66b4d91f9c39c73e3399c16f9d667ddf369a1250)
#1 0x55ec0518f917 in client_info_alloc /root/projects/FTP/server_ftp_functions.c:7:49
#2 0x55ec05191e15 in main /root/projects/FTP/server_ftp.c:39:27
#3 0x7f6b1e895d09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09) (BuildId: b503275bf9fee51581fdceef97533b194035b4f7)
SUMMARY: AddressSanitizer: 520 byte(s) leaked in 2 allocation(s).
Bug analysis
The server use function serve_client to handle each connection from the client:
while(1)
{
if((x = sfd_client = accept(sfd_server, (struct sockaddr*) &sin_client, &size_sockaddr)) < 0)
er("accept()", x);
printf(ID "Communication started with %s:%d\n", inet_ntoa(sin_client.sin_addr), ntohs(sin_client.sin_port));
fflush(stdout);
struct client_info* ci = client_info_alloc(sfd_client, connection_id++);
serve_client(ci);
}
In the function serve_client, the memory allocated via malloc is never freed, causing memory leak.
struct packet* data = (struct packet*) malloc(size_packet);
This bug can cause denial-of-service.