From vwelch@ncsa.uiuc.edu Fri Sep 18 18:04:19 1998 Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id SAA06654 for ; Fri, 18 Sep 1998 18:04:18 -0400 Received: from computer.ncsa.uiuc.edu by MIT.EDU with SMTP id AA08730; Fri, 18 Sep 98 18:03:20 EDT Received: from vwelch by computer.ncsa.uiuc.edu with local (Exim 1.82 #9) id 0zK8cd-0004tP-00; Fri, 18 Sep 1998 17:03:23 -0500 Message-Id: Date: Fri, 18 Sep 1998 17:03:23 -0500 From: vwelch@ncsa.uiuc.edu Reply-To: vwelch@ncsa.uiuc.edu To: krb5-bugs@MIT.EDU Cc: vwelch@ncsa.uiuc.edu Subject: gssftp client mput command can cause segfault X-Send-Pr-Version: 3.99 >Number: 633 >Category: krb5-appl >Synopsis: gssftp client mput command can cause segfault >Confidential: no >Severity: non-critical >Priority: low >Responsible: krb5-unassigned >State: open >Class: sw-bug >Submitter-Id: unknown >Arrival-Date: Fri Sep 18 18:05:00 EDT 1998 >Last-Modified: Thu Jul 5 22:05:30 EDT 2001 >Originator: vwelch@ncsa.uiuc.edu >Organization: ------------------------------------------------------------------------ Von Welch Senior Network Engineer vwelch@ncsa.uiuc.edu National Center for Supercomputing Applications ------------------------------------------------------------------------ >Release: krb5-1.0.5 >Environment: System: Linux computer.ncsa.uiuc.edu 2.0.32 #4 Mon Apr 20 09:38:29 CDT 1998 i686 unknown Architecture: i686 >Description: If you run the gssftp client and do an mput and any of the arguments to the mput do not get globb'ed (i.e. there are no wildcards) this will cause a segment fault because memory is free()'ed that shouldn't be. If the arguments are globbed this will not happen. >How-To-Repeat: $ touch file $ ftp pecos Connected to pecos.ncsa.uiuc.edu. 220 pecos.ncsa.uiuc.edu FTP server (Version 5.60) ready. 334 Using authentication type GSSAPI; ADAT must follow GSSAPI accepted as authentication type GSSAPI authentication succeeded Name (pecos:vwelch): 232 GSSAPI user vwelch@NCSA.EDU is authorized as vwelch 230 User vwelch logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> mput file mput file? y 227 Entering Passive Mode (141,142,4,6,159,245) 150 Opening BINARY mode data connection for file. 226 Transfer complete. Segmentation fault >Fix: This is because the ftpglob() simplies copies the given filename pointer if it does not do any globbing instead of allocating a new string. Later in the blkfree() call this copied pointer is free()'ed with above results. The following patch makes a copy of the string if it is not globbed. Index: glob.c =================================================================== RCS file: /afs/ncsa/src/kerberos/NRL_CVSROOT/krb5/appl/gssftp/ftp/glob.c,v retrieving revision 1.1.1.1 diff -c -r1.1.1.1 glob.c *** glob.c 1997/06/02 21:54:20 1.1.1.1 --- glob.c 1998/09/18 21:50:01 *************** *** 104,111 **** vv[1] = 0; gflag = 0; rscan(vv, tglob); ! if (gflag == 0) return (copyblk(vv)); globerr = 0; gpath = agpath; gpathp = gpath; *gpathp = 0; --- 104,122 ---- vv[1] = 0; gflag = 0; rscan(vv, tglob); ! if (gflag == 0) { ! /* ! * If we don't do any expansion then we need to ! * make a copy of v since blkfree() will try to ! * free it. ! */ ! vv[0] = strdup(v); ! if (vv[0] == NULL) { ! globerr = "Out of memory"; ! return NULL; ! } return (copyblk(vv)); + } globerr = 0; gpath = agpath; gpathp = gpath; *gpathp = 0; >Audit-Trail: >Unformatted: