ftp: No unbounded directory command re-use

OSS-Fuzz generated traffic containing a CWD command with a single very large path argument (427kb) starting with ".___/` \x00\x00...", This is followed by a large number of ftp replies with code 250. The directory logic in ftp_reply() would match every incoming reply with the one pending CWD command, triggering path buildup ending with something 120MB in size. Protect from re-using a directory command by setting a flag in the CmdArg record when it was consumed for the path traversal logic. This doesn't prevent unbounded path build-up generally, but does prevent the amplification of a single large command with very many small ftp_replies. Re-using a pending path command seems like a bug as well.
2025-10-02 14:48:21 +00:00 · 2023-04-18 21:17:40 +02:00 · 2023-04-18 21:17:40 +02:00 · 64f84aba34
commit 64f84aba34
parent d4eb71ab8f
2 changed files with 6 additions and 1 deletions
--- a/scripts/base/protocols/ftp/utils-commands.zeek
+++ b/scripts/base/protocols/ftp/utils-commands.zeek
@ -10,6 +10,9 @@ export {
 		arg:  string &default="";
 		## Counter to track how many commands have been executed.
 		seq:  count &default=0;
+		## Flag indicating if the arg of this CmdArg has been used
+		## to update cwd of c$ftp.
+		cwd_consumed: bool &default=F;
 	};

 	## Structure for tracking pending commands in the event that the client