Date: 1 Sep 2002 02:30:18 -0000 From: "Chris S.J.Peron" <maneo@bsdpro.com> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/42275: [patch] sftp coredump if file specified by put/get args does not exist Message-ID: <20020901023018.6025.qmail@staff.seccuris.com>
next in thread | raw e-mail | index | archive | help
>Number: 42275 >Category: bin >Synopsis: [patch] sftp coredump if file specified by put/get args does not exist >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Aug 31 19:10:01 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Chris S.J. Peron >Release: FreeBSD 4.6.2-RELEASE i386 >Organization: Seccuris Inc >Environment: System: FreeBSD staff.seccuris.com 4.6.2-RELEASE FreeBSD 4.6.2-RELEASE #1: Tue Aug 20 16:12:25 CDT 2002 cperon@staff.seccuris.com:/usr/src/sys/compile/opcode i386 >Description: The sftp put/get commands are implemented by the process_put() and process_get() routines defined in the sftp-int.c source file. These functions subsequently use glob(3) to populate gl_pathv which contains a pointer to a NULL-terminated list of matched pathnames. However, if gl_pathc is zero, the contents of gl_pathv are undefined. Because process_put{get} do not use proper error checking, IF the requested file does not exist, sftp will drop a core and die horribly. >How-To-Repeat: % sftp cperon@xor Connecting to xor... Password: sftp> get blahblahblah Couldn't stat remote file: No such file or directory Segmentation fault (core dumped) % Likewise for ``put'' % sftp cperon@xor Connecting to xor... Password: sftp> put poopoop Segmentation fault (core dumped) % >Fix: --- /usr/src/crypto/openssh/sftp-int.c.broken Sat Aug 31 20:57:33 2002 +++ /usr/src/crypto/openssh/sftp-int.c Sat Aug 31 21:01:34 2002 @@ -367,6 +367,10 @@ goto out; } + /* Check to make sure that the file(s) exists. */ + if (g.gl_pathv == '\0') + goto out; + /* Only one match, dst may be file, directory or unspecified */ if (g.gl_pathv[0] && g.gl_matchc == 1) { if (dst) { @@ -446,6 +450,13 @@ goto out; } + /* Check to make sure the file(s) exists. */ + if (g.gl_pathv == '\0') { + error("File \"%s\" not found.", src); + err = -1; + goto out; + } + /* Only one match, dst may be file, directory or unspecified */ if (g.gl_pathv[0] && g.gl_matchc == 1) { if (tmp_dst) { >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020901023018.6025.qmail>