From: Sowjanya Vardhineni <sovardhi@cisco.com>
Date: Mon, 13 Apr 2026 06:19:12 +0000 (+0530)
Subject: ftp_telnet: FTP Stale buffer pointer fix (#5262)
X-Git-Tag: 3.12.2.0~9
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=474bc204c8a0b299b30881fed43a388ab6bc3335;p=thirdparty%2Fsnort3.git

ftp_telnet: FTP Stale buffer pointer fix (#5262)
---

diff --git a/src/service_inspectors/ftp_telnet/ftp_client.h b/src/service_inspectors/ftp_telnet/ftp_client.h
index 8fbea7e6b..a96c3bbea 100644
--- a/src/service_inspectors/ftp_telnet/ftp_client.h
+++ b/src/service_inspectors/ftp_telnet/ftp_client.h
@@ -26,6 +26,8 @@
 #ifndef FTP_CLIENT_H
 #define FTP_CLIENT_H
 
+#include <vector>
+
 /*
  * FTP Client Module
  *
@@ -47,6 +49,8 @@ struct FTP_CLIENT_REQ
     unsigned int param_size;
 
     const char* pipeline_req;
+    // Keep layout compatible with FTP_CLIENT_REQ for shared parsing logic.
+    std::vector<char> param_buffer;
 };
 
 struct FTP_CLIENT
diff --git a/src/service_inspectors/ftp_telnet/ftp_server.h b/src/service_inspectors/ftp_telnet/ftp_server.h
index 54156ff47..2fe30ad81 100644
--- a/src/service_inspectors/ftp_telnet/ftp_server.h
+++ b/src/service_inspectors/ftp_telnet/ftp_server.h
@@ -26,6 +26,8 @@
 #ifndef FTP_SERVER_H
 #define FTP_SERVER_H
 
+#include <vector>
+
 /*
  * FTP Server Module
  *
@@ -47,6 +49,8 @@ typedef struct s_FTP_SERVER_RSP
     unsigned int msg_size;
 
     char* pipeline_req;
+    // Keep layout compatible with FTP_SERVER_RSP for shared parsing logic.
+    std::vector<char> param_buffer;
     int state;
 } FTP_SERVER_RSP;
 
diff --git a/src/service_inspectors/ftp_telnet/pp_ftp.cc b/src/service_inspectors/ftp_telnet/pp_ftp.cc
index e0634a862..eb9ea2986 100644
--- a/src/service_inspectors/ftp_telnet/pp_ftp.cc
+++ b/src/service_inspectors/ftp_telnet/pp_ftp.cc
@@ -1735,14 +1735,21 @@ int check_ftp(FTP_SESSION* ftpssn, Packet* p, int iMode)
             }
             else if (space || ftpssn->server.response.state != 0)
             {
-                /* Now grab the command parameters/response message
-                 * read_ptr < end already checked */
-                req->param_begin = (const char*)read_ptr;
-                if ((read_ptr = (const unsigned char*)memchr(read_ptr, CR, end - read_ptr)) == nullptr)
-                    read_ptr = end;
-                req->param_end = (const char*)read_ptr;
-                req->param_size = req->param_end - req->param_begin;
-                read_ptr++;
+                const unsigned char* param_start = read_ptr;
+                const unsigned char* cr_pos = (const unsigned char*)memchr(read_ptr, CR, end - read_ptr);
+                const unsigned char* param_end = (cr_pos != nullptr) ? cr_pos : end;
+                size_t param_len = param_end - param_start;
+
+                req->param_buffer.resize(param_len + 1);
+                if (param_len > 0)
+                    memcpy(req->param_buffer.data(), param_start, param_len);
+                req->param_buffer[param_len] = '\0';
+
+                req->param_begin = req->param_buffer.data();
+                req->param_size = static_cast<unsigned int>(param_len);
+                req->param_end = req->param_buffer.data() + param_len;
+
+                read_ptr = param_end + 1;
 
                 if (read_ptr < end)
                 {