Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: User after Free in zftp module

X-seq: zsh-workers 52924
From: Peter Stephenson <p.w.stephenson@xxxxxxxxxxxx>
To: Hamidreza <0xxparrot1@xxxxxxxxx>, zsh-workers@xxxxxxx
Subject: Re: User after Free in zftp module
Date: Fri, 10 May 2024 11:14:52 +0100 (BST)
Archived-at: <https://zsh.org/workers/52924>
Importance: Normal
In-reply-to: <CAMVY=Rtf0a5h-cxnXUSwHsMFR59_keKibcMSgdLUMrapUEbgZQ@mail.gmail.com>
List-id: <zsh-workers.zsh.org>
References: <CAMVY=Rtf0a5h-cxnXUSwHsMFR59_keKibcMSgdLUMrapUEbgZQ@mail.gmail.com>

> On 10/05/2024 09:26 BST Hamidreza <0xxparrot1@xxxxxxxxx> wrote:
> There is a security vulnerablity in zftp module.
>
> At
> `https://github.com/zsh-users/zsh/blob/acdcf9d8542a4461c0fceb98fdfef7380a128f78/Src/Modules/zftp.c#L3149`,
> `zfsessions` is begin freed but the variable is not set to NULL
> afterwards which leads to a "Use after Free" bug.

Thanks, that's clear.

pws

diff --git a/Src/Modules/zftp.c b/Src/Modules/zftp.c
index 0c26828..b60e5bf 100644
--- a/Src/Modules/zftp.c
+++ b/Src/Modules/zftp.c
@@ -3147,6 +3147,7 @@ zftp_cleanup(void)
     lastmsg = NULL;
     zfunsetparam("ZFTP_SESSION");
     freelinklist(zfsessions, (FreeFunc) freesession);
+    zfsessions = NULL;
     zfree(zfstatusp, sizeof(int)*zfsesscnt);
     zfstatusp = NULL;
 }

References:
- User after Free in zftp module
  - From: Hamidreza

Messages sorted by: Reverse Date, Date, Thread, Author