ftp_telnet: FTP Stale buffer pointer fix (#5262)

author Sowjanya Vardhineni <sovardhi@cisco.com>

Mon, 13 Apr 2026 06:19:12 +0000 (11:49 +0530)

committer GitHub <noreply@github.com>

Mon, 13 Apr 2026 06:19:12 +0000 (11:49 +0530)
author Sowjanya Vardhineni <sovardhi@cisco.com>
Mon, 13 Apr 2026 06:19:12 +0000 (11:49 +0530)
committer GitHub <noreply@github.com>
Mon, 13 Apr 2026 06:19:12 +0000 (11:49 +0530)
diff --git a/src/service_inspectors/ftp_telnet/ftp_client.h b/src/service_inspectors/ftp_telnet/ftp_client.h

index 8fbea7e6b1aede9e91377ef323bf5e13c1aebfd0..a96c3bbea4432ed088d6830b6b172b68025dffc6 100644 (file)
--- a/src/service_inspectors/ftp_telnet/ftp_client.h
+++ b/src/service_inspectors/ftp_telnet/ftp_client.h
@@ -26,6 +26,8 @@
  #ifndef FTP_CLIENT_H
  #define FTP_CLIENT_H
  
+#include <vector>
+
  /*
   * FTP Client Module
   *
@@ -47,6 +49,8 @@ struct FTP_CLIENT_REQ
      unsigned int param_size;
  
      const char* pipeline_req;
+    // Keep layout compatible with FTP_CLIENT_REQ for shared parsing logic.
+    std::vector<char> param_buffer;
  };
  
  struct FTP_CLIENT
diff --git a/src/service_inspectors/ftp_telnet/ftp_server.h b/src/service_inspectors/ftp_telnet/ftp_server.h

index 54156ff476c622335c5b3c0c32b5516b8d69d855..2fe30ad8183696975e4faf46ed0e0c691c692d4c 100644 (file)
--- a/src/service_inspectors/ftp_telnet/ftp_server.h
+++ b/src/service_inspectors/ftp_telnet/ftp_server.h
@@ -26,6 +26,8 @@
  #ifndef FTP_SERVER_H
  #define FTP_SERVER_H
  
+#include <vector>
+
  /*
   * FTP Server Module
   *
@@ -47,6 +49,8 @@ typedef struct s_FTP_SERVER_RSP
      unsigned int msg_size;
  
      char* pipeline_req;
+    // Keep layout compatible with FTP_SERVER_RSP for shared parsing logic.
+    std::vector<char> param_buffer;
      int state;
  } FTP_SERVER_RSP;
  
diff --git a/src/service_inspectors/ftp_telnet/pp_ftp.cc b/src/service_inspectors/ftp_telnet/pp_ftp.cc

index e0634a862bc0314d9b0105dde7d607a2cb399817..eb9ea29868649137178302a28b15e7b8716adae4 100644 (file)
--- a/src/service_inspectors/ftp_telnet/pp_ftp.cc
+++ b/src/service_inspectors/ftp_telnet/pp_ftp.cc
@@ -1735,14 +1735,21 @@ int check_ftp(FTP_SESSION* ftpssn, Packet* p, int iMode)
              }
              else if (space || ftpssn->server.response.state != 0)
              {
-                /* Now grab the command parameters/response message
-                 * read_ptr < end already checked */
-                req->param_begin = (const char*)read_ptr;
-                if ((read_ptr = (const unsigned char*)memchr(read_ptr, CR, end - read_ptr)) == nullptr)
-                    read_ptr = end;
-                req->param_end = (const char*)read_ptr;
-                req->param_size = req->param_end - req->param_begin;
-                read_ptr++;
+                const unsigned char* param_start = read_ptr;
+                const unsigned char* cr_pos = (const unsigned char*)memchr(read_ptr, CR, end - read_ptr);
+                const unsigned char* param_end = (cr_pos != nullptr) ? cr_pos : end;
+                size_t param_len = param_end - param_start;
+
+                req->param_buffer.resize(param_len + 1);
+                if (param_len > 0)
+                    memcpy(req->param_buffer.data(), param_start, param_len);
+                req->param_buffer[param_len] = '\0';
+
+                req->param_begin = req->param_buffer.data();
+                req->param_size = static_cast<unsigned int>(param_len);
+                req->param_end = req->param_buffer.data() + param_len;
+
+                read_ptr = param_end + 1;
  
                  if (read_ptr < end)
                  {
author	Sowjanya Vardhineni <sovardhi@cisco.com>
	Mon, 13 Apr 2026 06:19:12 +0000 (11:49 +0530)
committer	GitHub <noreply@github.com>
	Mon, 13 Apr 2026 06:19:12 +0000 (11:49 +0530)
src/service_inspectors/ftp_telnet/ftp_client.h		patch \| blob \| blame \| history
src/service_inspectors/ftp_telnet/ftp_server.h		patch \| blob \| blame \| history
src/service_inspectors/ftp_telnet/pp_ftp.cc		patch \| blob \| blame \| history