From krb5-bugs-incoming-bounces@PCH.mit.edu Mon Jan 23 18:00:40 2012 Return-Path: Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (Postfix) with ESMTP id D7DAF3E6B5; Mon, 23 Jan 2012 18:00:40 -0500 (EST) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id q0NN0eOP017877; Mon, 23 Jan 2012 18:00:40 -0500 Received: from mailhub-dmz-4.mit.edu (MAILHUB-DMZ-4.MIT.EDU [18.7.62.38]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id q0NMKP5d012447 for ; Mon, 23 Jan 2012 17:20:25 -0500 Received: from dmz-mailsec-scanner-2.mit.edu (DMZ-MAILSEC-SCANNER-2.MIT.EDU [18.9.25.13]) by mailhub-dmz-4.mit.edu (8.13.8/8.9.2) with ESMTP id q0NMJ8Rp013938 for ; Mon, 23 Jan 2012 17:20:25 -0500 X-AuditID: 1209190d-b7fbf6d0000008ba-e2-4f1ddd2864d3 Authentication-Results: symauth.service.identifier; spf=pass; senderid=pass Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by dmz-mailsec-scanner-2.mit.edu (Symantec Messaging Gateway) with SMTP id 17.A4.02234.82DDD1F4; Mon, 23 Jan 2012 17:20:25 -0500 (EST) Received: from int-mx12.intmail.prod.int.phx2.redhat.com (int-mx12.intmail.prod.int.phx2.redhat.com [10.5.11.25]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q0NMKNoF028107 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Mon, 23 Jan 2012 17:20:23 -0500 Received: from blade.bos.redhat.com (blade.bos.redhat.com [10.16.184.36]) by int-mx12.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id q0NMKMTR015265 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 23 Jan 2012 17:20:23 -0500 Received: from blade.bos.redhat.com (localhost.localdomain [127.0.0.1]) by blade.bos.redhat.com (8.14.5/8.14.5) with ESMTP id q0NMKMGe013981 for ; Mon, 23 Jan 2012 17:20:22 -0500 Received: (from nalin@localhost) by blade.bos.redhat.com (8.14.5/8.14.5/Submit) id q0NMKLFi013980; Mon, 23 Jan 2012 17:20:21 -0500 Date: Mon, 23 Jan 2012 17:20:21 -0500 Message-Id: <201201232220.q0NMKLFi013980@blade.bos.redhat.com> To: krb5-bugs@mit.edu Subject: ftp: unterminated file mode passed to fopen() From: nalin@redhat.com X-send-pr-version: 3.99 X-Scanned-By: MIMEDefang 2.68 on 10.5.11.25 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpileJIrShJLcpLzFFi42K52LJdRlfzrqy/wZVLXBYND4+zOzB6NJ05 yhzAGMVlk5Kak1mWWqRvl8CV8fbuWeaC+TwVt97cYG5gfMbZxcjJISFgIvHxx1ImEJtRwFvi zdXj7BBxMYkL99azdTFycQgJnGCUOPqlmQXC2cQk0fpiK5SzlEniR+N9qLKTjBJPb21nhXDa GCWenbsMNJiDg0VAVeLe42iQubwCdhIP7m9kA7FFBEQlXv49xgJiCwuYSVxtnQpmswHtvjHv FCuILSTAJdH6aQlYPbMAi8SfNxtYIO4Tl9ix/TTUrdoSn5tnskxgFFzAyLCKUTYlt0o3NzEz pzg1Wbc4OTEvL7VI10gvN7NELzWldBMjMNCEOCV5dzC+O6h0iFGAg1GJh1dipqy/EGtiWXFl 7iFGSQ4mJVHesjtAIb6k/JTKjMTijPii0pzU4kOMEhzMSiK8aueAcrwpiZVVqUX5MClpDhYl cV5VrXd+QgLpiSWp2ampBalFMFkmDvZDjDIcHEoSvF0gkwWLUtNTK9Iyc0qQ1XCCCC6QNTxA axpACnmLCxJzizPTIYpOMepyXPjVdp5RiCUvPy9VSpw3FqRIAKQoozQPbhgoadT/////EqOs lDAvIwMDgxAP0DXAQEDIg5LOK0ZxYAAI80aCTOHJzCuB2/QK6AgmoCM48qRAjihJREhJNTCe rihwM7EvKbNa9332v2PRlwIut69msHI/ZiT0b3mjbUY6D0emph7v6rvWbnyM+zafmnV/G/NF 2yd3Hnm/uqWUJZh9J5f1uF5outxeLa1jaX+1g5VnKVvy/ON71mSkedHxCnu9776de+5IXDA/ PUuLQ6T7R7hnas3M9Tp8Xpo+R16K7z1b912JpTgj0VCLuag4EQDmOFDoFQMAAA== X-Mailman-Approved-At: Mon, 23 Jan 2012 18:00:39 -0500 X-BeenThere: krb5-bugs-incoming@mailman.mit.edu X-Mailman-Version: 2.1.6 Precedence: list Sender: krb5-bugs-incoming-bounces@PCH.mit.edu Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu >Submitter-Id: net >Originator: >Organization: >Confidential: no >Synopsis: the ftp client can pass an unterminated string to fopen() >Severity: non-critical >Priority: low >Category: krb5-appl >Class: sw-bug >Release: 1.0.2 >Environment: System: Linux blade.bos.redhat.com 3.2.1-5.fc17.x86_64 #1 SMP Tue Jan 17 18:57:18 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux Architecture: x86_64 >Description: Siddhesh Poyarekar notes that the file mode that is passed to fopen() via recvrequest() when "ftp" is executing an "mls" or "mdir" command isn't properly terminated. >How-To-Repeat: We've gotten sporadic reports about this causing the client to fail in cases where the next byte on the stack happens to be 'x', but nothing reliably reproducible at this point. >Fix: There are multiple variations on a fix, but here's Siddhesh's patch: --- a/gssftp/ftp/cmds.c 2012-01-12 13:06:12.827204828 +0530 +++ b/gssftp/ftp/cmds.c 2012-01-12 13:06:08.978204741 +0530 @@ -1685,7 +1685,7 @@ voip mls(argc, argv) { sig_t oldintr; int ointer, i; - char *volatile cmd, rmode[1], *dest; + char *volatile cmd, rmode[2], *dest; if (argc < 2 && !another(&argc, &argv, "remote-files")) goto usage; @@ -1709,7 +1709,8 @@ usage: oldintr = signal(SIGINT, mabort); (void) setjmp(jabort); for (i = 1; mflag && i < argc-1; ++i) { - *rmode = (i == 1) ? 'w' : 'a'; + rmode[0] = (i == 1) ? 'w' : 'a'; + rmode[1] = 0; recvrequest(cmd, dest, argv[i], rmode, 0, 0); if (!mflag && fromatty) { ointer = interactive;