How to reproduce

Using the prepared patch file reproduce.patch for better illustration.

patch -p1 < reproduce.patch

Compile

make

Start the server

./bin/server/server_ftp.out

Start the client to establish the connection and exit immediately

timeout 1s ./bin/client/client_ftp.out

Then, the server will crash with AddressSanitizer report:

=================================================================
==1199805==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 512 byte(s) in 1 object(s) allocated from:
    #0 0x55ec05154f7e in __interceptor_malloc (/root/projects/FTP/bin/server/server_ftp.out+0xa6f7e) (BuildId: 66b4d91f9c39c73e3399c16f9d667ddf369a1250)
    #1 0x55ec05192071 in serve_client /root/projects/FTP/server_ftp.c:53:41
    #2 0x55ec05191e28 in main /root/projects/FTP/server_ftp.c:40:2
    #3 0x7f6b1e895d09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09) (BuildId: b503275bf9fee51581fdceef97533b194035b4f7)

Direct leak of 8 byte(s) in 1 object(s) allocated from:
    #0 0x55ec05154f7e in __interceptor_malloc (/root/projects/FTP/bin/server/server_ftp.out+0xa6f7e) (BuildId: 66b4d91f9c39c73e3399c16f9d667ddf369a1250)
    #1 0x55ec0518f917 in client_info_alloc /root/projects/FTP/server_ftp_functions.c:7:49
    #2 0x55ec05191e15 in main /root/projects/FTP/server_ftp.c:39:27
    #3 0x7f6b1e895d09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09) (BuildId: b503275bf9fee51581fdceef97533b194035b4f7)

SUMMARY: AddressSanitizer: 520 byte(s) leaked in 2 allocation(s).

Bug analysis

The server use function serve_client to handle each connection from the client: https://github.com/rovinbhandari/FTP/blob/96c1a3543b159427d41b89dd8d64792c83572774/server_ftp.c#L32-L41

In the function serve_client, the memory allocated via malloc is never freed, causing memory leak. https://github.com/rovinbhandari/FTP/blob/96c1a3543b159427d41b89dd8d64792c83572774/server_ftp.c#L53

This bug can cause denial-of-service.

rovinbhandari / FTP

Denial-of-service bug #8

How to reproduce

Bug analysis