Bug#759936: proftpd-mod-vroot: Module is broken because of erroneous function vroot_lookup_path

[votdev]

Package: proftpd-mod-vroot
Version: 0.9.2-2+b2
Severity: grave
 
The proftpd module mod_vroot is broken, because the alias string
processing is erroneous. The result of the function vroot_lookup_path
may look like this without the attached patch:
static int vroot_lstat(pr_fs_t *fs, const char *orig_path, struct stat
*st) {
...
  if (vroot_lookup_path(NULL, vpath, sizeof(vpath)-1, path, 0, NULL) < 0) {
    destroy_pool(tmp_pool);
    return -1;
  }
(void) pr_log_writefile(vroot_logfd, MOD_VROOT_VERSION, "(lstat) ==>
path '%s'", path);
(void) pr_log_writefile(vroot_logfd, MOD_VROOT_VERSION, "(lstat) ==>
vpath '%s'", vpath);
  if ((vroot_opts & VROOT_OPT_ALLOW_SYMLINKS) ||
      vroot_is_alias(path) == 0) {
...
)
Aug 22 21:06:18 mod_vroot/0.9.2[8919]: (lstat) ==> path '/folder1/test.sh'
Aug 22 21:06:18 mod_vroot/0.9.2[8919]: (lstat) ==> vpath
'/media/b464f0f6-0ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/ebc-426f-b5cf-4f4324ccf906/folder1/eb
Using the following patch makes the module working. The code changes has
been taken from the original GIT
repositoryhttps://github.com/Castaglia/proftpd-mod_vroot
<https://3c.gmx.net/mail/client/dereferrer?redirectUrl=https%3A%2F%2Fgithub.com%2FCastaglia%2Fproftpd-mod_vroot>.
--- proftpd-mod-vroot-0.9.2.orig/mod_vroot.c
+++ proftpd-mod-vroot-0.9.2/mod_vroot.c
@@ -225,7 +225,7 @@ loop:
 
   } else if (*bufp != '\0') {
     size_t buflen, tmplen;
-    char *ptr;
+    char *ptr = NULL;
 
     ptr = strstr(bufp, "..");
     if (ptr != NULL) {
@@ -280,9 +280,14 @@ loop:
     if (vroot_aliastab != NULL) {
       char *start_ptr = NULL, *end_ptr = NULL, *src_path = NULL;
 
+      /* buf is used here for storing the "suffix", to be appended
later when
+       * aliases are found.
+       */
+      bufp = buf;
+
       start_ptr = path;
       while (start_ptr != NULL) {
-        char *ptr;
+        char *ptr = NULL;
 
         pr_signals_handle();
 
@@ -312,8 +317,8 @@ loop:
           sstrncpy(path, src_path, pathlen);
 
           if (end_ptr != NULL) {
-            sstrcat(path, "/", pathlen);
-            sstrcat(path, end_ptr + 1, pathlen);
+            /* Now tack on our suffix from the scratchpad. */
+            sstrcat(path, bufp, pathlen);
           }
 
           break;
@@ -334,6 +339,8 @@ loop:
           break;
         }
 
+        /* Store the suffix in the buf scratchpad. */
+        sstrncpy(buf, ptr, sizeof(buf));
         end_ptr = ptr;
         *end_ptr = '\0';
       }

Regards
Volker
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-proftpd-maintainers/attachments/20140830/e6232036/attachment-0001.html>