LightFTP Buffer Overflow Vulnerability in MaxUsers Configuration Component Allowing Denial-of-Service

A buffer overflow vulnerability has been identified in LightFTP version 2.0, specifically within the 'g_cfg.MaxUsers' component. This vulnerability allows attackers to cause a denial-of-service (DoS) condition by providing crafted input that is not properly validated. The issue arises because the server reads the 'maxusers' value from the configuration file and allocates memory for client sockets based on this unvalidated value. If a large number is specified, it can lead to excessive memory allocation, causing the server to crash.

Impact

Exploitation of this vulnerability leads to a process abort, causing the FTP server to crash. This disruption is immediate and can be particularly problematic on systems where the FTP service has privileged access or is managed by a service supervisor, as it could cause broader availability issues and disrupt system stability.

Reproduction

To reproduce this vulnerability, clone the LightFTP repository and check out the version 2.0. Compile the server with AddressSanitizer enabled to detect memory errors. Create a configuration file and set the 'maxusers' value to a very large integer, such as one close to the maximum value for a 32-bit unsigned integer. When the server is started with this configuration, it will attempt to allocate a large amount of memory based on the 'maxusers' value. This allocation will fail, causing the server to abort and crash. The AddressSanitizer will report an out-of-memory error, indicating that the process was terminated due to the failed allocation.