Date: Tue, 18 Jul 2006 01:51:18 +1000 (EST) From: Andrew Stevenson <andrew@ugh.net.au> To: FreeBSD-gnats-submit@FreeBSD.org Cc: mikeh@FreeBSD.org, obrien@FreeBSD.org Subject: bin/100442: lukemftpd core dumps on anonymous login Message-ID: <20060717155118.CB4F4386C0F@starbug.ugh.net.au> Resent-Message-ID: <200607171600.k6HG0ZBR099828@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 100442 >Category: bin >Synopsis: lukemftpd core dumps on anonymous login >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Jul 17 16:00:34 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Andrew Stevenson >Release: FreeBSD 6.1-RELEASE i386 >Organization: UgH! >Environment: System: FreeBSD starbug.ugh.net.au 6.1-RELEASE FreeBSD 6.1-RELEASE #0: Mon Jun 12 07:32:23 UTC 2006 root@jail.ugh.net.au:/usr/obj/usr/src/sys/KERNEL1 i386 >Description: lukemftpd core dumps on anonymous login after accepting the password. What seems to be happening is that the user function (ftpd.c:716) is called but we hit the goto on line 786 and so skip the call to parse_conf on line 821. This means that when we get to count_users (conf.c:883) (called from pass (ftpd.c:1149)) curclass.classname is still NULL and the strlcat on line 892 of conf.c causes a segfault. The NetBSD code differs in that it doesn't have the goto though I haven't tested to see if that avoids the problem. I'm not sure of the rationale for the differing code - the comments seem to say the NetBSD code came from FreeBSD originally. >How-To-Repeat: Added an ftp user and group. Shell set to nologin. Added lukemftpd to inetd.conf with the flags "ftpd -ll -r -d" Login via FTP as "ftp" with any password. >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060717155118.CB4F4386C0F>