From cf6d32b00e06bf50bd827f28d930d0f0f54c706669eb1e22fc3fb46c1feb9c4a Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Thu, 7 Sep 2017 13:15:52 +0000 Subject: [PATCH] Add "vsftpd-die-with-session.patch" to fix a bug in vsftpd that would cause SSL protocol errors, aborting the connection, whenever system errors occurred that were supposed to be non-fatal. [bsc#1044292] OBS-URL: https://build.opensuse.org/package/show/network/vsftpd?expand=0&rev=115 --- vsftpd-die-with-session.patch | 155 ++++++++++++++++++++++++++++++++++ vsftpd.changes | 8 ++ vsftpd.spec | 2 + 3 files changed, 165 insertions(+) create mode 100644 vsftpd-die-with-session.patch diff --git a/vsftpd-die-with-session.patch b/vsftpd-die-with-session.patch new file mode 100644 index 0000000..8be0839 --- /dev/null +++ b/vsftpd-die-with-session.patch @@ -0,0 +1,155 @@ +Index: vsftpd-3.0.2/main.c +=================================================================== +--- vsftpd-3.0.2.orig/main.c ++++ vsftpd-3.0.2/main.c +@@ -155,6 +155,9 @@ main(int argc, const char* argv[]) + the_session.num_clients = ret.num_children; + the_session.num_this_ip = ret.num_this_ip; + } ++ ++ die_init(&the_session); ++ + if (tunable_tcp_wrappers) + { + the_session.tcp_wrapper_ok = vsf_tcp_wrapper_ok(VSFTP_COMMAND_FD); +Index: vsftpd-3.0.2/utility.c +=================================================================== +--- vsftpd-3.0.2.orig/utility.c ++++ vsftpd-3.0.2/utility.c +@@ -9,9 +9,22 @@ + #include "sysutil.h" + #include "str.h" + #include "defs.h" ++#include "session.h" ++#include "tunables.h" ++#include "privsock.h" ++#include "ssl.h" ++#include + + #define DIE_DEBUG + ++static struct vsf_session *s_p_sess = NULL; ++ ++void ++die_init(struct vsf_session *p_sess) ++{ ++ s_p_sess = p_sess; ++} ++ + void + die(const char* p_text) + { +@@ -40,12 +53,70 @@ die2(const char* p_text1, const char* p_ + void + bug(const char* p_text) + { ++ /* Detect calls caused by failed logging from bug() itself ++ * to prevent infinite loops */ ++ static int s_in_bug = 0; ++ const unsigned int buffer_size = 256; ++ char text_buffer[buffer_size]; ++ unsigned int text_len; ++ ++ if (s_in_bug) ++ return; ++ ++ s_in_bug = 1; ++ ++ if (s_p_sess) ++ { ++ /* Try to write the message to logs */ ++ if (s_p_sess->vsftpd_log_fd != -1) ++ { ++ snprintf(text_buffer, buffer_size, ++ "%s vsftpd [pid %d]: \"%s\" from \"%s\": %s", ++ vsf_sysutil_get_current_date(), vsf_sysutil_getpid(), ++ str_getbuf(&s_p_sess->user_str), ++ str_getbuf(&s_p_sess->remote_ip_str), p_text); ++ text_len = vsf_sysutil_strlen(text_buffer); ++ vsf_sysutil_write_loop(s_p_sess->vsftpd_log_fd, text_buffer, text_len); ++ } ++ ++ if (tunable_syslog_enable) ++ { ++ snprintf(text_buffer, buffer_size, "\"%s\" from \"%s\": %s", ++ str_getbuf(&s_p_sess->user_str), ++ str_getbuf(&s_p_sess->remote_ip_str), p_text); ++ vsf_sysutil_syslog(text_buffer, 1); ++ } ++ } ++ else ++ { ++ /* dummy logging before the system is fully set up */ ++ if (tunable_syslog_enable) ++ { ++ vsf_sysutil_syslog(p_text, 1); ++ } ++ } ++ ++ snprintf(text_buffer, buffer_size, "500 OOPS: %s\r\n", p_text); ++ text_len = vsf_sysutil_strlen(text_buffer); ++ + /* Rats. Try and write the reason to the network for diagnostics */ +- vsf_sysutil_activate_noblock(VSFTP_COMMAND_FD); +- (void) vsf_sysutil_write_loop(VSFTP_COMMAND_FD, "500 OOPS: ", 10); +- (void) vsf_sysutil_write_loop(VSFTP_COMMAND_FD, p_text, +- vsf_sysutil_strlen(p_text)); +- (void) vsf_sysutil_write_loop(VSFTP_COMMAND_FD, "\r\n", 2); ++ if (s_p_sess && s_p_sess->control_use_ssl) ++ { ++ if (s_p_sess->ssl_slave_active) ++ { ++ priv_sock_send_cmd(s_p_sess->ssl_consumer_fd, PRIV_SOCK_WRITE_USER_RESP); ++ priv_sock_send_buf(s_p_sess->ssl_consumer_fd, text_buffer, text_len); ++ } ++ else ++ { ++ (void)ssl_write(s_p_sess->p_control_ssl, text_buffer, text_len); ++ } ++ } ++ else ++ { ++ vsf_sysutil_activate_noblock(VSFTP_COMMAND_FD); ++ (void) vsf_sysutil_write_loop(VSFTP_COMMAND_FD, text_buffer, text_len); ++ } + vsf_sysutil_exit(2); + } + +Index: vsftpd-3.0.2/utility.h +=================================================================== +--- vsftpd-3.0.2.orig/utility.h ++++ vsftpd-3.0.2/utility.h +@@ -2,6 +2,18 @@ + #define VSF_UTILITY_H + + struct mystr; ++struct vsf_session; ++ ++/* die_init ++ * PURPOSE ++ * Initialize static pointer to vsf_session used for ++ * logging and SSL support used by die() and bug(). ++ * If not set (or set to NULL) only dummy write ++ * to VSFTP_COMMAND_FD will be done. ++ * PARAMETERS ++ * p_sess - pointer to vsf_session or NULL ++ */ ++void die_init(struct vsf_session *p_sess); + + /* die() + * PURPOSE +Index: vsftpd-3.0.2/seccompsandbox.c +=================================================================== +--- vsftpd-3.0.2.orig/seccompsandbox.c ++++ vsftpd-3.0.2/seccompsandbox.c +@@ -556,6 +556,10 @@ seccomp_sandbox_setup_postlogin_broker() + allow_nr(__NR_fchown); + allow_nr_1_arg_match(__NR_recvmsg, 3, 0); + } ++ if (tunable_syslog_enable) ++ { ++ allow_nr_1_arg_match(__NR_sendto, 6, 0); ++ } + } + + void diff --git a/vsftpd.changes b/vsftpd.changes index c4f2b0c..19534b5 100644 --- a/vsftpd.changes +++ b/vsftpd.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Thu Sep 7 12:24:26 UTC 2017 - tchvatal@suse.com + +- Add "vsftpd-die-with-session.patch" to fix a bug in vsftpd that + would cause SSL protocol errors, aborting the connection, whenever + system errors occurred that were supposed to be non-fatal. + [bsc#1044292] + ------------------------------------------------------------------- Wed Jun 14 11:42:26 UTC 2017 - tchvatal@suse.com diff --git a/vsftpd.spec b/vsftpd.spec index 6f2f3dc..0ce8bc7 100644 --- a/vsftpd.spec +++ b/vsftpd.spec @@ -72,6 +72,7 @@ Patch24: vsftpd-3.0.2-wnohang.patch Patch25: vsftpd-3.0.2-fix-chown-uploads.patch #FIX-FIX-OPENSUSE: bsc#1042673 Patch26: vsftpd-3.0.3-build-with-openssl-1.1.patch +Patch27: vsftpd-die-with-session.patch BuildRequires: libcap-devel BuildRequires: libopenssl-devel BuildRequires: pam-devel @@ -126,6 +127,7 @@ tests. %patch24 -p1 %patch25 -p1 %patch26 -p1 +%patch27 -p1 %build %define seccomp_opts -D_GNU_SOURCE -DUSE_SECCOMP