From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bounce+ml==a==inbox.vuxu.org==zsh-workers@zsh.org>
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.3 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DKIM_VALID_EF,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=ham autolearn_force=no
	version=3.4.4
Received: from zero.zsh.org (zero.zsh.org [IPv6:2a02:898:31:0:48:4558:7a:7368])
	by inbox.vuxu.org (Postfix) with ESMTP id B9BBF2595A
	for <ml@inbox.vuxu.org>; Fri, 10 May 2024 12:15:16 +0200 (CEST)
ARC-Seal: i=1; cv=none; a=rsa-sha256; d=zsh.org; s=rsa-20210803; t=1715336116;
	 b=oIzMulimvAw2CbAmfh7GVO1X2BzfqKIpoaw0kuDF3/qqby5CTVL4SxYur6SyORqXkylJ9gGkgj
	  Uff68J98or2Gwamg0vCllGnDX93ClpoK2ckVtGmXQb/5zRcj/AIAEgu6WcApvsRSZBB9o6utpX
	  Al2L8tz8LSgFeAybDIF/6Mky6/RhqZiwZ/kutzLTrjC1GzwMMNhS/E2wun1y8LVzoxjDmJaqAy
	  MRgBRd5fo7Dj23V2MIvfXHqboand5kkkUmH6URlDKxCL91OgUDNN5rP0GLzr8qTrp/l8WSDPwq
	  uUXN6dyQiZkOJq8l+I/DcGms9ncIIIbGwcqBwSx5ZVh/gw==;
ARC-Authentication-Results: i=1; zsh.org;
	iprev=pass (csmtpq3-prd-nl1-vmo.edge.unified.services) smtp.remote-ip=84.116.50.34;
	dkim=pass header.d=ntlworld.com header.s=meg.feb2017 header.a=rsa-sha256;
	dmarc=pass header.from=ntlworld.com;
	arc=none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed; d=zsh.org; s=rsa-20210803; t=1715336116;
	bh=frYgwJNCqhn20FIb7sLskw7sE1sYQxYz9RpGF7QVVhM=;
	h=List-Archive:List-Owner:List-Post:List-Unsubscribe:List-Subscribe:List-Help:
	  List-Id:Sender:Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:
	  References:In-Reply-To:Message-ID:To:From:Date:DKIM-Signature:
	  DKIM-Signature;
	b=Wo+8zPWqaE422Bvk7eaZWsISjATp6qiHVjMEJlr+tZfagnKRgkagMT+T9KTPzwByGeDpfCjgm9
	  WPmI148uSGJ30YFcsevdfDKDTXeco/80ApFfrK6OeVtHx3sg+vL0FjTYYXNTYNL3QyJkr2p1Fw
	  6BIDRA2WEPS7Gp3mbwn8x5dTZe9HSqulub0Gkl4pQftEMG4U1HlttQ1s5zNLlJHrGCtCo1//OW
	  8G7a+rOvRYnT7rY6ixOwFuhOZQK/R9rw2U78YVEX6J0EdCGPuIUMoKexxZ/tM7/LJOY0EgJk81
	  Dy7tZ8LhMomwghAZB0FXbpXbQ63BbtLg6Xe2jlO0+g5nHw==;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=zsh.org;
	s=rsa-20210803; h=List-Archive:List-Owner:List-Post:List-Unsubscribe:
	List-Subscribe:List-Help:List-Id:Sender:Content-Transfer-Encoding:
	Content-Type:MIME-Version:Subject:References:In-Reply-To:Message-ID:To:From:
	Date:Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID;
	bh=0edfmZcFGbsiYBzgwKiRSc3zeluulHcpLtzE4oCv2NM=; b=SeRf+oc+h9HaLHylBpu4gH2GUN
	ikkggPO0tnDoy/iXqOaBUfdvdMICNcv1r0yA8WKr3H/hsR1vXUK1FYp/bt20epiSa5QbD5ShD1aNi
	kmrIP3qCqj0I8+2YMzWukx+R6Hd8xcy9c4a2vAif5bVLnWgYBYVgc6Fg9u4ZC+Ym19wKFa1EaGzTM
	caeA87+NxwGfqSAtj27yiXoJX1C4aGVDNb36fizC3s5rCnHkgJOUVk5hUlD5Kim7K5m+nkoPLiDDw
	QodTgamji70dfLbEi46ej2bsZmYZbKKQZ54f+6vZihlqdRhUBxFNaJ4WZhhoxMdgxxFfSbNrE9pbg
	9W7Tw6/w==;
Received: by zero.zsh.org with local
	id 1s5NHX-0006Mz-Uk;
	Fri, 10 May 2024 10:15:16 +0000
Authentication-Results: zsh.org;
	iprev=pass (csmtpq3-prd-nl1-vmo.edge.unified.services) smtp.remote-ip=84.116.50.34;
	dkim=pass header.d=ntlworld.com header.s=meg.feb2017 header.a=rsa-sha256;
	dmarc=pass header.from=ntlworld.com;
	arc=none
Received: from csmtpq3-prd-nl1-vmo.edge.unified.services ([84.116.50.34]:47509)
	by zero.zsh.org with esmtps (TLS1.3:TLS_AES_256_GCM_SHA384:256)
	id 1s5NHB-00062R-40;
	Fri, 10 May 2024 10:15:01 +0000
Received: from oxsmtp3-prd-nl1-vmo.nl1.unified.services ([100.107.83.172])
	by csmtpq3-prd-nl1-vmo.edge.unified.services with esmtp (Exim 4.93)
	(envelope-from <p.w.stephenson@ntlworld.com>)
	id 1s5NHA-007Fiu-GI
	for zsh-workers@zsh.org; Fri, 10 May 2024 12:14:52 +0200
Received: from oxbe10-prd-nl1-vmo.nl1.unified.services ([100.107.83.144])
	by oxsmtp3-prd-nl1-vmo.nl1.unified.services with ESMTP
	id 5NHAsrAuyhJAx5NHAshXLN; Fri, 10 May 2024 12:14:52 +0200
X-Env-Mailfrom: p.w.stephenson@ntlworld.com
X-Env-Rcptto: zsh-workers@zsh.org
X-SourceIP: 100.107.83.144
X-CNFS-Analysis: v=2.4 cv=FOTQxPos c=1 sm=1 tr=0 ts=663df39c cx=a_exe
 a=RdcqwleOKFqM2hPO5gAing==:117 a=IvlwODmuRu4A:10 a=IkcTkHD0fZMA:10
 a=pGLkceISAAAA:8 a=NEAV23lmAAAA:8 a=jWbb6TT8uA_mhk_gKIIA:9 a=QEXdDO2ut3YA:10
 a=ZXulRonScM0A:10 a=HbQOABYz3jhqdZF7JfnK:22
X-Authenticated-Sender: p.w.stephenson@ntlworld.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ntlworld.com;
	s=meg.feb2017; t=1715336092;
	bh=frYgwJNCqhn20FIb7sLskw7sE1sYQxYz9RpGF7QVVhM=;
	h=Date:From:To:In-Reply-To:References:Subject;
	b=dI6FTUYZjP/FLn8tOoOToy3wk6URyvu+lUYjKf52EpoobZxdD0yob+CWvQXnSweMK
	 wu562/hrfOIjYsJcKcWxGfi1s7FUcTE5A3Lyx98S5fFVcAyFP2KHJdAbuovyimcoX8
	 JRka8gnWfkRJAHrmhcTOdzCpiHNUNf4dAfdF+5BCffbtZ9n1bQKR7EQm4vJZqcR9J9
	 woo/M43as5KzhSkW8ofndZPM2+SBSvVa3VnO1QTXWDAaavWhafzcKQBKj9Brcay/28
	 mBk4yFlVRoMyBZ1E23inl0bHqGAfAL98CpOe0k2egPFYeZK73K0mseGixd+G0WSL9S
	 /kwizW3xAVdFA==
Date: Fri, 10 May 2024 11:14:52 +0100 (BST)
From: Peter Stephenson <p.w.stephenson@ntlworld.com>
To: Hamidreza <0xxparrot1@gmail.com>, zsh-workers@zsh.org
Message-ID: <323009376.1482906.1715336092479@mail.virginmedia.com>
In-Reply-To: <CAMVY=Rtf0a5h-cxnXUSwHsMFR59_keKibcMSgdLUMrapUEbgZQ@mail.gmail.com>
References: <CAMVY=Rtf0a5h-cxnXUSwHsMFR59_keKibcMSgdLUMrapUEbgZQ@mail.gmail.com>
Subject: Re: User after Free in zftp module
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Priority: 3
Importance: Normal
X-Mailer: Open-Xchange Mailer
X-Originating-IP: 147.161.224.196
X-Originating-Client: open-xchange-appsuite
X-CMAE-Envelope: MS4xfIzbziHDdYb2Xs3FHmn0c1wNaBPTz9uw6QBc4YNPerygZmEa8UsWmOEjffcBLHTExCIB3JfiLLO5ghreYzG/IhyuZRrX1q5OW05zHWy4T9HgoCND48Mo
 hrtSIsYGTniu8p9ftcfMXuylOv+dxsfxLjoRWhVBtcBj9PYrnehz3XaMpvTyIGAFKYSpArP7h2BSCcBGj9TIJE7dyzuLR/JDOuDLDLmBC1EcRGpSSn7F/ZK4
 BgCy9P6ufKUUR0GArE/ERzMw12siFQ5ImGPzAkAAWVM=
X-Seq: 52924
Archived-At: <https://zsh.org/workers/52924>
X-Loop: zsh-workers@zsh.org
Errors-To: zsh-workers-owner@zsh.org
Precedence: list
Precedence: bulk
Sender: zsh-workers-request@zsh.org
X-no-archive: yes
List-Id: <zsh-workers.zsh.org>
List-Help: <http://www.zsh.org/sympa/help>, <mailto:sympa@zsh.org?subject=HELP>
List-Subscribe: <http://www.zsh.org/sympa/subscribe/zsh-workers>, <mailto:sympa@zsh.org?subject=SUB%20zsh-workers>
List-Unsubscribe: <http://www.zsh.org/sympa/signoff/zsh-workers>, <mailto:sympa@zsh.org?subject=SIG%20zsh-workers>
List-Post: <mailto:zsh-workers@zsh.org>
List-Owner: <mailto:zsh-workers-request@zsh.org>
List-Archive: <http://www.zsh.org/sympa/arc/zsh-workers>

> On 10/05/2024 09:26 BST Hamidreza <0xxparrot1@gmail.com> wrote:
> There is a security vulnerablity in zftp module.
>
> At
> `https://github.com/zsh-users/zsh/blob/acdcf9d8542a4461c0fceb98fdfef7380a128f78/Src/Modules/zftp.c#L3149`,
> `zfsessions` is begin freed but the variable is not set to NULL
> afterwards which leads to a "Use after Free" bug.

Thanks, that's clear.

pws

diff --git a/Src/Modules/zftp.c b/Src/Modules/zftp.c
index 0c26828..b60e5bf 100644
--- a/Src/Modules/zftp.c
+++ b/Src/Modules/zftp.c
@@ -3147,6 +3147,7 @@ zftp_cleanup(void)
     lastmsg = NULL;
     zfunsetparam("ZFTP_SESSION");
     freelinklist(zfsessions, (FreeFunc) freesession);
+    zfsessions = NULL;
     zfree(zfstatusp, sizeof(int)*zfsesscnt);
     zfstatusp = NULL;
 }