Date: 1 Sep 2002 02:30:18 -0000 From: "Chris S.J.Peron" <maneo@bsdpro.com> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/42275: [patch] sftp coredump if file specified by put/get args does not exist Message-ID: <20020901023018.6025.qmail@staff.seccuris.com>
next in thread | raw e-mail | index | archive | help
>Number: 42275
>Category: bin
>Synopsis: [patch] sftp coredump if file specified by put/get args does not exist
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Aug 31 19:10:01 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator: Chris S.J. Peron
>Release: FreeBSD 4.6.2-RELEASE i386
>Organization:
Seccuris Inc
>Environment:
System: FreeBSD staff.seccuris.com 4.6.2-RELEASE FreeBSD 4.6.2-RELEASE #1: Tue Aug 20 16:12:25 CDT 2002 cperon@staff.seccuris.com:/usr/src/sys/compile/opcode i386
>Description:
The sftp put/get commands are implemented by the process_put()
and process_get() routines defined in the sftp-int.c source file.
These functions subsequently use glob(3) to populate gl_pathv
which contains a pointer to a NULL-terminated list of matched
pathnames.
However, if gl_pathc is zero, the contents of gl_pathv are undefined.
Because process_put{get} do not use proper error checking, IF
the requested file does not exist, sftp will drop a core and
die horribly.
>How-To-Repeat:
% sftp cperon@xor
Connecting to xor...
Password:
sftp> get blahblahblah
Couldn't stat remote file: No such file or directory
Segmentation fault (core dumped)
%
Likewise for ``put''
% sftp cperon@xor
Connecting to xor...
Password:
sftp> put poopoop
Segmentation fault (core dumped)
%
>Fix:
--- /usr/src/crypto/openssh/sftp-int.c.broken Sat Aug 31 20:57:33 2002
+++ /usr/src/crypto/openssh/sftp-int.c Sat Aug 31 21:01:34 2002
@@ -367,6 +367,10 @@
goto out;
}
+ /* Check to make sure that the file(s) exists. */
+ if (g.gl_pathv == '\0')
+ goto out;
+
/* Only one match, dst may be file, directory or unspecified */
if (g.gl_pathv[0] && g.gl_matchc == 1) {
if (dst) {
@@ -446,6 +450,13 @@
goto out;
}
+ /* Check to make sure the file(s) exists. */
+ if (g.gl_pathv == '\0') {
+ error("File \"%s\" not found.", src);
+ err = -1;
+ goto out;
+ }
+
/* Only one match, dst may be file, directory or unspecified */
if (g.gl_pathv[0] && g.gl_matchc == 1) {
if (tmp_dst) {
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020901023018.6025.qmail>