Add "vsftpd-die-with-session.patch" to fix a bug in vsftpd that would cause SSL protocol errors, aborting the connection, whenever system errors occurred that were supposed to be non-fatal. [bsc#1044292]

OBS-URL: https://build.opensuse.org/package/show/network/vsftpd?expand=0&rev=115

vsftpd-die-with-session.patch

@@ -0,0 +1,155 @@
+Index: vsftpd-3.0.2/main.c
+===================================================================
+--- vsftpd-3.0.2.orig/main.c
++++ vsftpd-3.0.2/main.c
+@@ -155,6 +155,9 @@ main(int argc, const char* argv[])
+     the_session.num_clients = ret.num_children;
+     the_session.num_this_ip = ret.num_this_ip;
+   }
++
++  die_init(&the_session);
++
+   if (tunable_tcp_wrappers)
+   {
+     the_session.tcp_wrapper_ok = vsf_tcp_wrapper_ok(VSFTP_COMMAND_FD);
+Index: vsftpd-3.0.2/utility.c
+===================================================================
+--- vsftpd-3.0.2.orig/utility.c
++++ vsftpd-3.0.2/utility.c
+@@ -9,9 +9,22 @@
+ #include "sysutil.h"
+ #include "str.h"
+ #include "defs.h"
++#include "session.h"
++#include "tunables.h"
++#include "privsock.h"
++#include "ssl.h"
++#include <stdio.h>
+ 
+ #define DIE_DEBUG
+ 
++static struct vsf_session *s_p_sess = NULL;
++
++void
++die_init(struct vsf_session *p_sess)
++{
++  s_p_sess = p_sess;
++}
++
+ void
+ die(const char* p_text)
+ {
+@@ -40,12 +53,70 @@ die2(const char* p_text1, const char* p_
+ void
+ bug(const char* p_text)
+ {
++  /* Detect calls caused by failed logging from bug() itself
++   * to prevent infinite loops */
++  static int s_in_bug = 0;
++  const unsigned int buffer_size = 256;
++  char text_buffer[buffer_size];
++  unsigned int text_len;
++
++  if (s_in_bug)
++	return;
++
++  s_in_bug = 1;
++
++  if (s_p_sess)
++  {
++    /* Try to write the message to logs */
++    if (s_p_sess->vsftpd_log_fd != -1)
++    {
++      snprintf(text_buffer, buffer_size,
++               "%s vsftpd [pid %d]: \"%s\" from \"%s\": %s",
++               vsf_sysutil_get_current_date(), vsf_sysutil_getpid(),
++               str_getbuf(&s_p_sess->user_str),
++               str_getbuf(&s_p_sess->remote_ip_str), p_text);
++      text_len = vsf_sysutil_strlen(text_buffer);
++      vsf_sysutil_write_loop(s_p_sess->vsftpd_log_fd, text_buffer, text_len);
++    }
++
++    if (tunable_syslog_enable)
++    {
++      snprintf(text_buffer, buffer_size, "\"%s\" from \"%s\": %s",
++               str_getbuf(&s_p_sess->user_str),
++               str_getbuf(&s_p_sess->remote_ip_str), p_text);
++      vsf_sysutil_syslog(text_buffer, 1);
++    }
++  }
++  else
++  {
++    /* dummy logging before the system is fully set up */
++    if (tunable_syslog_enable)
++    {
++      vsf_sysutil_syslog(p_text, 1);
++    }
++  }
++
++  snprintf(text_buffer, buffer_size, "500 OOPS: %s\r\n", p_text);
++  text_len = vsf_sysutil_strlen(text_buffer);
++
+   /* Rats. Try and write the reason to the network for diagnostics */
+-  vsf_sysutil_activate_noblock(VSFTP_COMMAND_FD);
+-  (void) vsf_sysutil_write_loop(VSFTP_COMMAND_FD, "500 OOPS: ", 10);
+-  (void) vsf_sysutil_write_loop(VSFTP_COMMAND_FD, p_text,
+-                                vsf_sysutil_strlen(p_text));
+-  (void) vsf_sysutil_write_loop(VSFTP_COMMAND_FD, "\r\n", 2);
++  if (s_p_sess && s_p_sess->control_use_ssl)
++  {
++    if (s_p_sess->ssl_slave_active)
++    {
++      priv_sock_send_cmd(s_p_sess->ssl_consumer_fd, PRIV_SOCK_WRITE_USER_RESP);
++      priv_sock_send_buf(s_p_sess->ssl_consumer_fd, text_buffer, text_len);
++    }
++    else
++    {
++      (void)ssl_write(s_p_sess->p_control_ssl, text_buffer, text_len);
++    }
++  }
++  else
++  {
++    vsf_sysutil_activate_noblock(VSFTP_COMMAND_FD);
++    (void) vsf_sysutil_write_loop(VSFTP_COMMAND_FD, text_buffer, text_len);
++  }
+   vsf_sysutil_exit(2);
+ }
+ 
+Index: vsftpd-3.0.2/utility.h
+===================================================================
+--- vsftpd-3.0.2.orig/utility.h
++++ vsftpd-3.0.2/utility.h
+@@ -2,6 +2,18 @@
+ #define VSF_UTILITY_H
+ 
+ struct mystr;
++struct vsf_session;
++
++/* die_init
++ * PURPOSE
++ * Initialize static pointer to vsf_session used for
++ * logging and SSL support used by die() and bug().
++ * If not set (or set to NULL) only dummy write
++ * to VSFTP_COMMAND_FD will be done.
++ * PARAMETERS
++ * p_sess       - pointer to vsf_session or NULL
++ */
++void die_init(struct vsf_session *p_sess);
+ 
+ /* die()
+  * PURPOSE
+Index: vsftpd-3.0.2/seccompsandbox.c
+===================================================================
+--- vsftpd-3.0.2.orig/seccompsandbox.c
++++ vsftpd-3.0.2/seccompsandbox.c
+@@ -556,6 +556,10 @@ seccomp_sandbox_setup_postlogin_broker()
+     allow_nr(__NR_fchown);
+     allow_nr_1_arg_match(__NR_recvmsg, 3, 0);
+   }
++  if (tunable_syslog_enable)
++  {
++    allow_nr_1_arg_match(__NR_sendto, 6, 0);
++  }
+ }
+ 
+ void

vsftpd.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Thu Sep  7 12:24:26 UTC 2017 - tchvatal@suse.com
+
+- Add "vsftpd-die-with-session.patch" to fix a bug in vsftpd that
+  would cause SSL protocol errors, aborting the connection, whenever
+  system errors occurred that were supposed to be non-fatal.
+  [bsc#1044292]
+
 -------------------------------------------------------------------
 Wed Jun 14 11:42:26 UTC 2017 - tchvatal@suse.com
 

vsftpd.spec

@@ -72,6 +72,7 @@ Patch24:        vsftpd-3.0.2-wnohang.patch
 Patch25:        vsftpd-3.0.2-fix-chown-uploads.patch
 #FIX-FIX-OPENSUSE: bsc#1042673
 Patch26:        vsftpd-3.0.3-build-with-openssl-1.1.patch
+Patch27:        vsftpd-die-with-session.patch
 BuildRequires:  libcap-devel
 BuildRequires:  libopenssl-devel
 BuildRequires:  pam-devel
@@ -126,6 +127,7 @@ tests.
 %patch24 -p1
 %patch25 -p1
 %patch26 -p1
+%patch27 -p1
 
 %build
 %define seccomp_opts -D_GNU_SOURCE -DUSE_SECCOMP