Skip to content

net: lib: ftp_client: Fix vulnerabilities#27159

Merged
nordicjm merged 1 commit intonrfconnect:mainfrom
MarkusLassila:fix-ftp-client-vulnerabilities
Feb 23, 2026
Merged

net: lib: ftp_client: Fix vulnerabilities#27159
nordicjm merged 1 commit intonrfconnect:mainfrom
MarkusLassila:fix-ftp-client-vulnerabilities

Conversation

@MarkusLassila
Copy link
Contributor

@MarkusLassila MarkusLassila commented Feb 23, 2026

  • sprintf -> snprintf (boundary checks).
  • Improve pasv_msg validation.
  • Add input parameter validation.
  • Fix race condition with PASV response being overwritten.

Jira: SI-498
Jira: SI-500
@MarkusLassila MarkusLassila requested a review from a team as a code owner February 23, 2026 07:49
@NordicBuilder NordicBuilder added the changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added. label Feb 23, 2026
@NordicBuilder NordicBuilder requested a review from a team February 23, 2026 07:49
@NordicBuilder
Copy link
Contributor

NordicBuilder commented Feb 23, 2026
edited
Loading

CI Information

To view the history of this post, click the 'edited' button above
Build number: 2

Inputs:

Sources:

sdk-nrf: PR head: c049eac1e3bd1f09e71e083d3bccd22790bb6170

more details

sdk-nrf:

PR head: c049eac1e3bd1f09e71e083d3bccd22790bb6170
merge base: 06bb96a3b6e8ab4e52c540e3784ac065d3a45150
target head (main): acd5ad83ee4bb120af625fdd9cd16d948ed69d66
Diff

Github labels

Enabled Name Description
ci-disabled Disable the ci execution
ci-all-test Run all of ci, no test spec filtering will be done
ci-force-downstream Force execution of downstream even if twister fails
ci-run-twister Force run twister
ci-run-zephyr-twister Force run zephyr twister
List of changed files detected by CI (1) 
subsys
│  ├── net
│  │  ├── lib
│  │  │  ├── ftp_client
│  │  │  │  ├── src
│  │  │  │  │  │ ftp_client.c

Outputs:

Toolchain

Version: f9c66dfcaf
Build docker image: docker-dtr.nordicsemi.no/sw-production/ncs-build:f9c66dfcaf_5ea73affbf

Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped; ⚠️ Quarantine

  • ◻️ Toolchain - Skipped: existing toolchain is used
  • ✅ Build twister
    • sdk-nrf test count: 331
  • ✅ Integration tests
Disabled integration tests
    • test-fw-nrfconnect-nrf_lrcs_mosh
    • test-fw-nrfconnect-nrf_lrcs_positioning
    • desktop52_verification
    • test_ble_nrf_config
    • test-fw-nrfconnect-apps
    • test-fw-nrfconnect-ble_mesh
    • test-fw-nrfconnect-ble_samples
    • test-fw-nrfconnect-chip
    • test-fw-nrfconnect-fem
    • test-fw-nrfconnect-nfc
    • test-fw-nrfconnect-nrf-iot_libmodem-nrf
    • test-fw-nrfconnect-nrf-iot_lwm2m
    • test-fw-nrfconnect-nrf-iot_samples
    • test-fw-nrfconnect-nrf-iot_thingy91
    • test-fw-nrfconnect-nrf-iot_zephyr_lwm2m
    • test-fw-nrfconnect-nrf_crypto
    • test-fw-nrfconnect-ps-main
    • test-fw-nrfconnect-rpc
    • test-fw-nrfconnect-rs
    • test-fw-nrfconnect-tfm
    • test-fw-nrfconnect-thread-main
    • test-low-level
    • test-sdk-audio
    • test-sdk-dfu
    • test-sdk-find-my
    • test-sdk-mcuboot
    • test-sdk-wifi
    • test-secdom-samples-public

Note: This message is automatically posted and updated by the CI
@MarkusLassila
net: lib: ftp_client: Fix vulnerabilities
c049eac 
- sprintf -> snprintf (boundary checks).
- Improve pasv_msg validation.
- Add input parameter validation.
- Fix race condition with PASV response being
  overwritten.

Signed-off-by: Markus Lassila <markus.lassila@nordicsemi.no>
@MarkusLassila MarkusLassila force-pushed the fix-ftp-client-vulnerabilities branch from d449597 to c049eac Compare February 23, 2026 07:57
@rlubos
Copy link
Contributor

rlubos commented Feb 23, 2026

FYI As agreed with @SeppoTakalo I've opened zephyrproject-rtos/zephyr#104316, I'll apply those improvements there too (some of them already were).
@MarkusLassila MarkusLassila changed the title subsys: net: lib: ftp_client: Fix vulnerabilities Feb 23, 2026
@nordicjm nordicjm merged commit 65b948d into nrfconnect:main Feb 23, 2026
18 checks passed
@NordicBuilder NordicBuilder mentioned this pull request Feb 27, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backport v3.2-branch changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added.

6 participants

@MarkusLassila @NordicBuilder @rlubos @SeppoTakalo @nordicjm @karhama