Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 15 Mar 2010 12:08:20 GMT
From:      David BERARD <contact@davidberard.fr>
To:        FreeBSD-gnats-submit@FreeBSD.org
Cc:        laurent@sintes.org
Subject:   standards/144761: FTPD bug remote crash
Message-ID:  <201003151208.o2FC8Kxb053818@lab.polymorf.fr>
Resent-Message-ID: <201003151240.o2FCe7EG009704@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         144761
>Category:       standards
>Synopsis:       FTPD bug remote crash
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-standards
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Mar 15 12:40:07 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     David BERARD
>Release:        FreeBSD 8.0-RELEASE amd64
>Organization:
NFrance Conseil
>Environment:
System: FreeBSD lab.polymorf.fr 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:02:08 UTC 2009 root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64

>Description:
FTPD child process can die with signal 11, bug found by Kingcope
	kernel: pid 46033 (ftpd), uid 1001: exited on signal 11
References :
	http://seclists.org/fulldisclosure/2010/Mar/117
	http://seclists.org/fulldisclosure/2010/Mar/138
	http://seclists.org/fulldisclosure/2010/Mar/139
>How-To-Repeat:
	ftp localhost
	[....login....]
	ftp> mkdir WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW
	ftp> ls {W*/../W*/../W*/../W*/../W*/../W*/../W*/}
	[....Server close connection....]
>Fix:

See the attached patch, should fix issue

--- ftpd_popen.patch begins here ---
--- /usr/src/libexec/ftpd/popen.c	2009-10-25 01:10:29.000000000 +0000
+++ /usr/src/libexec/ftpd/popen.c	2010-03-13 08:03:24.000000000 +0000
@@ -108,7 +108,7 @@
 		memset(&gl, 0, sizeof(gl));
 		gl.gl_matchc = MAXGLOBARGS;
 		flags |= GLOB_LIMIT;
-		if (glob(argv[argc], flags, NULL, &gl))
+		if (glob(argv[argc], flags, NULL, &gl) || gl.gl_pathc == 0)
 			gargv[gargc++] = strdup(argv[argc]);
 		else
 			for (pop = gl.gl_pathv; *pop && gargc < (MAXGLOBARGS-1);
--- ftpd_popen.patch ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201003151208.o2FC8Kxb053818>