[defect]: Two random bugs in rlm_ftp.c

[MegaManSec]

What type of defect/bug is this?

Unexpected behaviour

How can the issue be reproduced?

While working on #5668, I came across what I think are three bugs. I didn't want to make PRs for them because I might be wrong but, I thought better to create a single issue. All issues relate to github.com/FreeRADIUS/freeradius-server/blob/7e538657fe05325cbd84453fc034d3a9b8598735/src/modules/rlm_ftp/rlm_ftp.c.

1. The wrong variable is logged in here:

   freeradius-server/src/modules/rlm_ftp/rlm_ftp.c

   Lines 217 to 219 in 7e53865

   	if ((ctx->instance->max_resp_size > 0) && ((ctx->used + (end - p)) > ctx->instance->max_resp_size)) {
   	REDEBUG("Incoming data (%zu bytes) exceeds max_body_in (%zu bytes). "
   	"Forcing body to type 'invalid'", ctx->used + (end - p), ctx->instance->max_resp_size);

2. I think this is missing a curl_ctx->response.request = request; https://github.com/FreeRADIUS/freeradius-server/blob/7e538657fe05325cbd84453fc034d3a9b8598735/src/modules/rlm_ftp/rlm_ftp.c#L296C2-L296C17 so this works https://github.com/FreeRADIUS/freeradius-server/blob/7e538657fe05325cbd84453fc034d3a9b8598735/src/modules/rlm_ftp/rlm_ftp.c#L209C14-L209C21

Log output from the FreeRADIUS daemon

n/a

Relevant log output from client utilities

No response

Backtrace from LLDB or GDB

[ndptech]

I agree with point 2, but what makes you say the wrong variable is logged in point 1?

[MegaManSec]

i think it should be max_resp_size (https://www.freeradius.org/documentation/freeradius-server/4.0.0/reference/raddb/mods-available/ftp.html). max_body_in is for something else: https://www.freeradius.org/documentation/freeradius-server/4.0.0/reference/raddb/mods-available/rest.html

[ndptech]

Ah - I see - it's the message that's wrong, not the variable - as in it's referring to the wrong config option. (The code was largely based on the rlm_rest code)
Thanks

[MegaManSec]

By the way, as mentioned, this was found by ZeroPath. There are quite a lot of findings from this ZeroPath tool; are you interested in the raw results? I imagine somebody with in-depth knowledge of the code can triage the findings a lot faster than me.. I've been doing this with other projects, for example in curl, I’ve reported (+ submitted patches) over 200 valid bugs (see this post or this article or this digest or this blog post). If you're interested, I can email them over. There's also vulnerabilities (the majority of them, in fact). https://github.com/FreeRADIUS/freeradius-server/security is empty so I wasn't sure where to report them.

[MegaManSec]

^ cc/ @arr2036 might be a better person to ask; ZeroPath found all of the issues I've reported/PRs submitted, so far.