From vwelch@ncsa.uiuc.edu Fri Sep 18 18:04:19 1998
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id SAA06654 for <bugs@RT-11.MIT.EDU>; Fri, 18 Sep 1998 18:04:18 -0400
Received: from computer.ncsa.uiuc.edu by MIT.EDU with SMTP
id AA08730; Fri, 18 Sep 98 18:03:20 EDT
Received: from vwelch by computer.ncsa.uiuc.edu with local (Exim 1.82 #9)
id 0zK8cd-0004tP-00; Fri, 18 Sep 1998 17:03:23 -0500
Message-Id: <E0zK8cd-0004tP-00@computer.ncsa.uiuc.edu>
Date: Fri, 18 Sep 1998 17:03:23 -0500
From: vwelch@ncsa.uiuc.edu
Reply-To: vwelch@ncsa.uiuc.edu
To: krb5-bugs@MIT.EDU
Cc: vwelch@ncsa.uiuc.edu
Subject: gssftp client mput command can cause segfault
X-Send-Pr-Version: 3.99
------------------------------------------------------------------------
Von Welch Senior Network Engineer vwelch@ncsa.uiuc.edu
National Center for Supercomputing Applications
------------------------------------------------------------------------
System: Linux computer.ncsa.uiuc.edu 2.0.32 #4 Mon Apr 20 09:38:29 CDT 1998 i686 unknown
Architecture: i686
to the mput do not get globb'ed (i.e. there are no wildcards) this
will cause a segment fault because memory is free()'ed that shouldn't
be. If the arguments are globbed this will not happen.
$ ftp pecos
Connected to pecos.ncsa.uiuc.edu.
220 pecos.ncsa.uiuc.edu FTP server (Version 5.60) ready.
334 Using authentication type GSSAPI; ADAT must follow
GSSAPI accepted as authentication type
GSSAPI authentication succeeded
Name (pecos:vwelch):
232 GSSAPI user vwelch@NCSA.EDU is authorized as vwelch
230 User vwelch logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
227 Entering Passive Mode (141,142,4,6,159,245)
150 Opening BINARY mode data connection for file.
226 Transfer complete.
Segmentation fault
This is because the ftpglob() simplies copies the given filename
pointer if it does not do any globbing instead of allocating a new
string. Later in the blkfree() call this copied pointer is free()'ed
with above results.
The following patch makes a copy of the string if it is not globbed.
Index: glob.c
===================================================================
RCS file: /afs/ncsa/src/kerberos/NRL_CVSROOT/krb5/appl/gssftp/ftp/glob.c,v
retrieving revision 1.1.1.1
diff -c -r1.1.1.1 glob.c
*** glob.c 1997/06/02 21:54:20 1.1.1.1
--- glob.c 1998/09/18 21:50:01
***************
*** 104,111 ****
vv[1] = 0;
gflag = 0;
rscan(vv, tglob);
! if (gflag == 0)
return (copyblk(vv));
globerr = 0;
gpath = agpath; gpathp = gpath; *gpathp = 0;
--- 104,122 ----
vv[1] = 0;
gflag = 0;
rscan(vv, tglob);
! if (gflag == 0) {
! /*
! * If we don't do any expansion then we need to
! * make a copy of v since blkfree() will try to
! * free it.
! */
! vv[0] = strdup(v);
! if (vv[0] == NULL) {
! globerr = "Out of memory";
! return NULL;
! }
return (copyblk(vv));
+ }
globerr = 0;
gpath = agpath; gpathp = gpath; *gpathp = 0;
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id SAA06654 for <bugs@RT-11.MIT.EDU>; Fri, 18 Sep 1998 18:04:18 -0400
Received: from computer.ncsa.uiuc.edu by MIT.EDU with SMTP
id AA08730; Fri, 18 Sep 98 18:03:20 EDT
Received: from vwelch by computer.ncsa.uiuc.edu with local (Exim 1.82 #9)
id 0zK8cd-0004tP-00; Fri, 18 Sep 1998 17:03:23 -0500
Message-Id: <E0zK8cd-0004tP-00@computer.ncsa.uiuc.edu>
Date: Fri, 18 Sep 1998 17:03:23 -0500
From: vwelch@ncsa.uiuc.edu
Reply-To: vwelch@ncsa.uiuc.edu
To: krb5-bugs@MIT.EDU
Cc: vwelch@ncsa.uiuc.edu
Subject: gssftp client mput command can cause segfault
X-Send-Pr-Version: 3.99
Show quoted text
>Number: 633
>Category: krb5-appl
>Synopsis: gssftp client mput command can cause segfault
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Fri Sep 18 18:05:00 EDT 1998
>Last-Modified: Thu Jul 5 22:05:30 EDT 2001
>Originator: vwelch@ncsa.uiuc.edu
>Organization:
>Category: krb5-appl
>Synopsis: gssftp client mput command can cause segfault
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Fri Sep 18 18:05:00 EDT 1998
>Last-Modified: Thu Jul 5 22:05:30 EDT 2001
>Originator: vwelch@ncsa.uiuc.edu
>Organization:
------------------------------------------------------------------------
Von Welch Senior Network Engineer vwelch@ncsa.uiuc.edu
National Center for Supercomputing Applications
------------------------------------------------------------------------
Show quoted text
>Release: krb5-1.0.5
>Environment:
>Environment:
System: Linux computer.ncsa.uiuc.edu 2.0.32 #4 Mon Apr 20 09:38:29 CDT 1998 i686 unknown
Architecture: i686
Show quoted text
>Description:
If you run the gssftp client and do an mput and any of the argumentsto the mput do not get globb'ed (i.e. there are no wildcards) this
will cause a segment fault because memory is free()'ed that shouldn't
be. If the arguments are globbed this will not happen.
Show quoted text
>How-To-Repeat:
$ touch file$ ftp pecos
Connected to pecos.ncsa.uiuc.edu.
220 pecos.ncsa.uiuc.edu FTP server (Version 5.60) ready.
334 Using authentication type GSSAPI; ADAT must follow
GSSAPI accepted as authentication type
GSSAPI authentication succeeded
Name (pecos:vwelch):
232 GSSAPI user vwelch@NCSA.EDU is authorized as vwelch
230 User vwelch logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
Show quoted text
ftp> mput file
mput file? y227 Entering Passive Mode (141,142,4,6,159,245)
150 Opening BINARY mode data connection for file.
226 Transfer complete.
Segmentation fault
Show quoted text
>Fix:
This is because the ftpglob() simplies copies the given filename
pointer if it does not do any globbing instead of allocating a new
string. Later in the blkfree() call this copied pointer is free()'ed
with above results.
The following patch makes a copy of the string if it is not globbed.
Index: glob.c
===================================================================
RCS file: /afs/ncsa/src/kerberos/NRL_CVSROOT/krb5/appl/gssftp/ftp/glob.c,v
retrieving revision 1.1.1.1
diff -c -r1.1.1.1 glob.c
*** glob.c 1997/06/02 21:54:20 1.1.1.1
--- glob.c 1998/09/18 21:50:01
***************
*** 104,111 ****
vv[1] = 0;
gflag = 0;
rscan(vv, tglob);
! if (gflag == 0)
return (copyblk(vv));
globerr = 0;
gpath = agpath; gpathp = gpath; *gpathp = 0;
--- 104,122 ----
vv[1] = 0;
gflag = 0;
rscan(vv, tglob);
! if (gflag == 0) {
! /*
! * If we don't do any expansion then we need to
! * make a copy of v since blkfree() will try to
! * free it.
! */
! vv[0] = strdup(v);
! if (vv[0] == NULL) {
! globerr = "Out of memory";
! return NULL;
! }
return (copyblk(vv));
+ }
globerr = 0;
gpath = agpath; gpathp = gpath; *gpathp = 0;
Show quoted text
>Audit-Trail:
>Unformatted:
>Unformatted: