From krb5-bugs-incoming-bounces@PCH.mit.edu Mon Jan 23 18:00:40 2012
Return-Path: <krb5-bugs-incoming-bounces@PCH.mit.edu>
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
by krbdev.mit.edu (Postfix) with ESMTP id D7DAF3E6B5;
Mon, 23 Jan 2012 18:00:40 -0500 (EST)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id q0NN0eOP017877;
Mon, 23 Jan 2012 18:00:40 -0500
Received: from mailhub-dmz-4.mit.edu (MAILHUB-DMZ-4.MIT.EDU [18.7.62.38])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id q0NMKP5d012447
for <krb5-bugs-incoming@PCH.mit.edu>; Mon, 23 Jan 2012 17:20:25 -0500
Received: from dmz-mailsec-scanner-2.mit.edu (DMZ-MAILSEC-SCANNER-2.MIT.EDU
[18.9.25.13])
by mailhub-dmz-4.mit.edu (8.13.8/8.9.2) with ESMTP id q0NMJ8Rp013938
for <krb5-bugs@mit.edu>; Mon, 23 Jan 2012 17:20:25 -0500
X-AuditID: 1209190d-b7fbf6d0000008ba-e2-4f1ddd2864d3
Authentication-Results: symauth.service.identifier; spf=pass; senderid=pass
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
by dmz-mailsec-scanner-2.mit.edu (Symantec Messaging Gateway) with SMTP
id 17.A4.02234.82DDD1F4; Mon, 23 Jan 2012 17:20:25 -0500 (EST)
Received: from int-mx12.intmail.prod.int.phx2.redhat.com
(int-mx12.intmail.prod.int.phx2.redhat.com [10.5.11.25])
by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q0NMKNoF028107
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
for <krb5-bugs@mit.edu>; Mon, 23 Jan 2012 17:20:23 -0500
Received: from blade.bos.redhat.com (blade.bos.redhat.com [10.16.184.36])
by int-mx12.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
id q0NMKMTR015265
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
for <krb5-bugs@mit.edu>; Mon, 23 Jan 2012 17:20:23 -0500
Received: from blade.bos.redhat.com (localhost.localdomain [127.0.0.1])
by blade.bos.redhat.com (8.14.5/8.14.5) with ESMTP id q0NMKMGe013981
for <krb5-bugs@mit.edu>; Mon, 23 Jan 2012 17:20:22 -0500
Received: (from nalin@localhost)
by blade.bos.redhat.com (8.14.5/8.14.5/Submit) id q0NMKLFi013980;
Mon, 23 Jan 2012 17:20:21 -0500
Date: Mon, 23 Jan 2012 17:20:21 -0500
Message-Id: <201201232220.q0NMKLFi013980@blade.bos.redhat.com>
To: krb5-bugs@mit.edu
Subject: ftp: unterminated file mode passed to fopen()
From: nalin@redhat.com
X-send-pr-version: 3.99
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.25
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpileJIrShJLcpLzFFi42K52LJdRlfzrqy/wZVLXBYND4+zOzB6NJ05
yhzAGMVlk5Kak1mWWqRvl8CV8fbuWeaC+TwVt97cYG5gfMbZxcjJISFgIvHxx1ImEJtRwFvi
zdXj7BBxMYkL99azdTFycQgJnGCUOPqlmQXC2cQk0fpiK5SzlEniR+N9qLKTjBJPb21nhXDa
GCWenbsMNJiDg0VAVeLe42iQubwCdhIP7m9kA7FFBEQlXv49xgJiCwuYSVxtnQpmswHtvjHv
FCuILSTAJdH6aQlYPbMAi8SfNxtYIO4Tl9ix/TTUrdoSn5tnskxgFFzAyLCKUTYlt0o3NzEz
pzg1Wbc4OTEvL7VI10gvN7NELzWldBMjMNCEOCV5dzC+O6h0iFGAg1GJh1dipqy/EGtiWXFl
7iFGSQ4mJVHesjtAIb6k/JTKjMTijPii0pzU4kOMEhzMSiK8aueAcrwpiZVVqUX5MClpDhYl
cV5VrXd+QgLpiSWp2ampBalFMFkmDvZDjDIcHEoSvF0gkwWLUtNTK9Iyc0qQ1XCCCC6QNTxA
axpACnmLCxJzizPTIYpOMepyXPjVdp5RiCUvPy9VSpw3FqRIAKQoozQPbhgoadT/////EqOs
lDAvIwMDgxAP0DXAQEDIg5LOK0ZxYAAI80aCTOHJzCuB2/QK6AgmoCM48qRAjihJREhJNTCe
rihwM7EvKbNa9332v2PRlwIut69msHI/ZiT0b3mjbUY6D0emph7v6rvWbnyM+zafmnV/G/NF
2yd3Hnm/uqWUJZh9J5f1uF5outxeLa1jaX+1g5VnKVvy/ON71mSkedHxCnu9776de+5IXDA/
PUuLQ6T7R7hnas3M9Tp8Xpo+R16K7z1b912JpTgj0VCLuag4EQDmOFDoFQMAAA==
X-Mailman-Approved-At: Mon, 23 Jan 2012 18:00:39 -0500
X-BeenThere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Sender: krb5-bugs-incoming-bounces@PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu
System: Linux blade.bos.redhat.com 3.2.1-5.fc17.x86_64 #1 SMP Tue Jan 17 18:57:18 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
Architecture: x86_64
fopen() via recvrequest() when "ftp" is executing an "mls" or "mdir"
command isn't properly terminated.
cases where the next byte on the stack happens to be 'x', but nothing
reliably reproducible at this point.
--- a/gssftp/ftp/cmds.c 2012-01-12 13:06:12.827204828 +0530
+++ b/gssftp/ftp/cmds.c 2012-01-12 13:06:08.978204741 +0530
@@ -1685,7 +1685,7 @@ voip mls(argc, argv)
{
sig_t oldintr;
int ointer, i;
- char *volatile cmd, rmode[1], *dest;
+ char *volatile cmd, rmode[2], *dest;
if (argc < 2 && !another(&argc, &argv, "remote-files"))
goto usage;
@@ -1709,7 +1709,8 @@ usage:
oldintr = signal(SIGINT, mabort);
(void) setjmp(jabort);
for (i = 1; mflag && i < argc-1; ++i) {
- *rmode = (i == 1) ? 'w' : 'a';
+ rmode[0] = (i == 1) ? 'w' : 'a';
+ rmode[1] = 0;
recvrequest(cmd, dest, argv[i], rmode, 0, 0);
if (!mflag && fromatty) {
ointer = interactive;
Return-Path: <krb5-bugs-incoming-bounces@PCH.mit.edu>
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
by krbdev.mit.edu (Postfix) with ESMTP id D7DAF3E6B5;
Mon, 23 Jan 2012 18:00:40 -0500 (EST)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id q0NN0eOP017877;
Mon, 23 Jan 2012 18:00:40 -0500
Received: from mailhub-dmz-4.mit.edu (MAILHUB-DMZ-4.MIT.EDU [18.7.62.38])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id q0NMKP5d012447
for <krb5-bugs-incoming@PCH.mit.edu>; Mon, 23 Jan 2012 17:20:25 -0500
Received: from dmz-mailsec-scanner-2.mit.edu (DMZ-MAILSEC-SCANNER-2.MIT.EDU
[18.9.25.13])
by mailhub-dmz-4.mit.edu (8.13.8/8.9.2) with ESMTP id q0NMJ8Rp013938
for <krb5-bugs@mit.edu>; Mon, 23 Jan 2012 17:20:25 -0500
X-AuditID: 1209190d-b7fbf6d0000008ba-e2-4f1ddd2864d3
Authentication-Results: symauth.service.identifier; spf=pass; senderid=pass
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
by dmz-mailsec-scanner-2.mit.edu (Symantec Messaging Gateway) with SMTP
id 17.A4.02234.82DDD1F4; Mon, 23 Jan 2012 17:20:25 -0500 (EST)
Received: from int-mx12.intmail.prod.int.phx2.redhat.com
(int-mx12.intmail.prod.int.phx2.redhat.com [10.5.11.25])
by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q0NMKNoF028107
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
for <krb5-bugs@mit.edu>; Mon, 23 Jan 2012 17:20:23 -0500
Received: from blade.bos.redhat.com (blade.bos.redhat.com [10.16.184.36])
by int-mx12.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
id q0NMKMTR015265
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
for <krb5-bugs@mit.edu>; Mon, 23 Jan 2012 17:20:23 -0500
Received: from blade.bos.redhat.com (localhost.localdomain [127.0.0.1])
by blade.bos.redhat.com (8.14.5/8.14.5) with ESMTP id q0NMKMGe013981
for <krb5-bugs@mit.edu>; Mon, 23 Jan 2012 17:20:22 -0500
Received: (from nalin@localhost)
by blade.bos.redhat.com (8.14.5/8.14.5/Submit) id q0NMKLFi013980;
Mon, 23 Jan 2012 17:20:21 -0500
Date: Mon, 23 Jan 2012 17:20:21 -0500
Message-Id: <201201232220.q0NMKLFi013980@blade.bos.redhat.com>
To: krb5-bugs@mit.edu
Subject: ftp: unterminated file mode passed to fopen()
From: nalin@redhat.com
X-send-pr-version: 3.99
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.25
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpileJIrShJLcpLzFFi42K52LJdRlfzrqy/wZVLXBYND4+zOzB6NJ05
yhzAGMVlk5Kak1mWWqRvl8CV8fbuWeaC+TwVt97cYG5gfMbZxcjJISFgIvHxx1ImEJtRwFvi
zdXj7BBxMYkL99azdTFycQgJnGCUOPqlmQXC2cQk0fpiK5SzlEniR+N9qLKTjBJPb21nhXDa
GCWenbsMNJiDg0VAVeLe42iQubwCdhIP7m9kA7FFBEQlXv49xgJiCwuYSVxtnQpmswHtvjHv
FCuILSTAJdH6aQlYPbMAi8SfNxtYIO4Tl9ix/TTUrdoSn5tnskxgFFzAyLCKUTYlt0o3NzEz
pzg1Wbc4OTEvL7VI10gvN7NELzWldBMjMNCEOCV5dzC+O6h0iFGAg1GJh1dipqy/EGtiWXFl
7iFGSQ4mJVHesjtAIb6k/JTKjMTijPii0pzU4kOMEhzMSiK8aueAcrwpiZVVqUX5MClpDhYl
cV5VrXd+QgLpiSWp2ampBalFMFkmDvZDjDIcHEoSvF0gkwWLUtNTK9Iyc0qQ1XCCCC6QNTxA
axpACnmLCxJzizPTIYpOMepyXPjVdp5RiCUvPy9VSpw3FqRIAKQoozQPbhgoadT/////EqOs
lDAvIwMDgxAP0DXAQEDIg5LOK0ZxYAAI80aCTOHJzCuB2/QK6AgmoCM48qRAjihJREhJNTCe
rihwM7EvKbNa9332v2PRlwIut69msHI/ZiT0b3mjbUY6D0emph7v6rvWbnyM+zafmnV/G/NF
2yd3Hnm/uqWUJZh9J5f1uF5outxeLa1jaX+1g5VnKVvy/ON71mSkedHxCnu9776de+5IXDA/
PUuLQ6T7R7hnas3M9Tp8Xpo+R16K7z1b912JpTgj0VCLuag4EQDmOFDoFQMAAA==
X-Mailman-Approved-At: Mon, 23 Jan 2012 18:00:39 -0500
X-BeenThere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Sender: krb5-bugs-incoming-bounces@PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu
Show quoted text
>Submitter-Id: net
>Originator:
>Organization:
>Confidential: no
>Synopsis: the ftp client can pass an unterminated string to fopen()
>Severity: non-critical
>Priority: low
>Category: krb5-appl
>Class: sw-bug
>Release: 1.0.2
>Environment:
>Originator:
>Organization:
>Confidential: no
>Synopsis: the ftp client can pass an unterminated string to fopen()
>Severity: non-critical
>Priority: low
>Category: krb5-appl
>Class: sw-bug
>Release: 1.0.2
>Environment:
System: Linux blade.bos.redhat.com 3.2.1-5.fc17.x86_64 #1 SMP Tue Jan 17 18:57:18 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
Architecture: x86_64
Show quoted text
>Description:
Siddhesh Poyarekar notes that the file mode that is passed tofopen() via recvrequest() when "ftp" is executing an "mls" or "mdir"
command isn't properly terminated.
Show quoted text
>How-To-Repeat:
We've gotten sporadic reports about this causing the client to fail incases where the next byte on the stack happens to be 'x', but nothing
reliably reproducible at this point.
Show quoted text
>Fix:
There are multiple variations on a fix, but here's Siddhesh's patch:--- a/gssftp/ftp/cmds.c 2012-01-12 13:06:12.827204828 +0530
+++ b/gssftp/ftp/cmds.c 2012-01-12 13:06:08.978204741 +0530
@@ -1685,7 +1685,7 @@ voip mls(argc, argv)
{
sig_t oldintr;
int ointer, i;
- char *volatile cmd, rmode[1], *dest;
+ char *volatile cmd, rmode[2], *dest;
if (argc < 2 && !another(&argc, &argv, "remote-files"))
goto usage;
@@ -1709,7 +1709,8 @@ usage:
oldintr = signal(SIGINT, mabort);
(void) setjmp(jabort);
for (i = 1; mflag && i < argc-1; ++i) {
- *rmode = (i == 1) ? 'w' : 'a';
+ rmode[0] = (i == 1) ? 'w' : 'a';
+ rmode[1] = 0;
recvrequest(cmd, dest, argv[i], rmode, 0, 0);
if (!mflag && fromatty) {
ointer = interactive;