Skip Menu |
 

Download (untitled) / with headers
text/plain 4.9KiB
From krb5-bugs-incoming-bounces@PCH.mit.edu Mon Jan 23 18:00:40 2012
Return-Path: <krb5-bugs-incoming-bounces@PCH.mit.edu>
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
by krbdev.mit.edu (Postfix) with ESMTP id D7DAF3E6B5;
Mon, 23 Jan 2012 18:00:40 -0500 (EST)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id q0NN0eOP017877;
Mon, 23 Jan 2012 18:00:40 -0500
Received: from mailhub-dmz-4.mit.edu (MAILHUB-DMZ-4.MIT.EDU [18.7.62.38])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id q0NMKP5d012447
for <krb5-bugs-incoming@PCH.mit.edu>; Mon, 23 Jan 2012 17:20:25 -0500
Received: from dmz-mailsec-scanner-2.mit.edu (DMZ-MAILSEC-SCANNER-2.MIT.EDU
[18.9.25.13])
by mailhub-dmz-4.mit.edu (8.13.8/8.9.2) with ESMTP id q0NMJ8Rp013938
for <krb5-bugs@mit.edu>; Mon, 23 Jan 2012 17:20:25 -0500
X-AuditID: 1209190d-b7fbf6d0000008ba-e2-4f1ddd2864d3
Authentication-Results: symauth.service.identifier; spf=pass; senderid=pass
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
by dmz-mailsec-scanner-2.mit.edu (Symantec Messaging Gateway) with SMTP
id 17.A4.02234.82DDD1F4; Mon, 23 Jan 2012 17:20:25 -0500 (EST)
Received: from int-mx12.intmail.prod.int.phx2.redhat.com
(int-mx12.intmail.prod.int.phx2.redhat.com [10.5.11.25])
by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q0NMKNoF028107
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
for <krb5-bugs@mit.edu>; Mon, 23 Jan 2012 17:20:23 -0500
Received: from blade.bos.redhat.com (blade.bos.redhat.com [10.16.184.36])
by int-mx12.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
id q0NMKMTR015265
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
for <krb5-bugs@mit.edu>; Mon, 23 Jan 2012 17:20:23 -0500
Received: from blade.bos.redhat.com (localhost.localdomain [127.0.0.1])
by blade.bos.redhat.com (8.14.5/8.14.5) with ESMTP id q0NMKMGe013981
for <krb5-bugs@mit.edu>; Mon, 23 Jan 2012 17:20:22 -0500
Received: (from nalin@localhost)
by blade.bos.redhat.com (8.14.5/8.14.5/Submit) id q0NMKLFi013980;
Mon, 23 Jan 2012 17:20:21 -0500
Date: Mon, 23 Jan 2012 17:20:21 -0500
Message-Id: <201201232220.q0NMKLFi013980@blade.bos.redhat.com>
To: krb5-bugs@mit.edu
Subject: ftp: unterminated file mode passed to fopen()
From: nalin@redhat.com
X-send-pr-version: 3.99
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.25
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpileJIrShJLcpLzFFi42K52LJdRlfzrqy/wZVLXBYND4+zOzB6NJ05
yhzAGMVlk5Kak1mWWqRvl8CV8fbuWeaC+TwVt97cYG5gfMbZxcjJISFgIvHxx1ImEJtRwFvi
zdXj7BBxMYkL99azdTFycQgJnGCUOPqlmQXC2cQk0fpiK5SzlEniR+N9qLKTjBJPb21nhXDa
GCWenbsMNJiDg0VAVeLe42iQubwCdhIP7m9kA7FFBEQlXv49xgJiCwuYSVxtnQpmswHtvjHv
FCuILSTAJdH6aQlYPbMAi8SfNxtYIO4Tl9ix/TTUrdoSn5tnskxgFFzAyLCKUTYlt0o3NzEz
pzg1Wbc4OTEvL7VI10gvN7NELzWldBMjMNCEOCV5dzC+O6h0iFGAg1GJh1dipqy/EGtiWXFl
7iFGSQ4mJVHesjtAIb6k/JTKjMTijPii0pzU4kOMEhzMSiK8aueAcrwpiZVVqUX5MClpDhYl
cV5VrXd+QgLpiSWp2ampBalFMFkmDvZDjDIcHEoSvF0gkwWLUtNTK9Iyc0qQ1XCCCC6QNTxA
axpACnmLCxJzizPTIYpOMepyXPjVdp5RiCUvPy9VSpw3FqRIAKQoozQPbhgoadT/////EqOs
lDAvIwMDgxAP0DXAQEDIg5LOK0ZxYAAI80aCTOHJzCuB2/QK6AgmoCM48qRAjihJREhJNTCe
rihwM7EvKbNa9332v2PRlwIut69msHI/ZiT0b3mjbUY6D0emph7v6rvWbnyM+zafmnV/G/NF
2yd3Hnm/uqWUJZh9J5f1uF5outxeLa1jaX+1g5VnKVvy/ON71mSkedHxCnu9776de+5IXDA/
PUuLQ6T7R7hnas3M9Tp8Xpo+R16K7z1b912JpTgj0VCLuag4EQDmOFDoFQMAAA==
X-Mailman-Approved-At: Mon, 23 Jan 2012 18:00:39 -0500
X-BeenThere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Sender: krb5-bugs-incoming-bounces@PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu


Show quoted text
>Submitter-Id: net
>Originator:
>Organization:
>Confidential: no
>Synopsis: the ftp client can pass an unterminated string to fopen()
>Severity: non-critical
>Priority: low
>Category: krb5-appl
>Class: sw-bug
>Release: 1.0.2
>Environment:

System: Linux blade.bos.redhat.com 3.2.1-5.fc17.x86_64 #1 SMP Tue Jan 17 18:57:18 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
Architecture: x86_64

Show quoted text
>Description:
Siddhesh Poyarekar notes that the file mode that is passed to
fopen() via recvrequest() when "ftp" is executing an "mls" or "mdir"
command isn't properly terminated.
Show quoted text
>How-To-Repeat:
We've gotten sporadic reports about this causing the client to fail in
cases where the next byte on the stack happens to be 'x', but nothing
reliably reproducible at this point.
Show quoted text
>Fix:
There are multiple variations on a fix, but here's Siddhesh's patch:

--- a/gssftp/ftp/cmds.c 2012-01-12 13:06:12.827204828 +0530
+++ b/gssftp/ftp/cmds.c 2012-01-12 13:06:08.978204741 +0530
@@ -1685,7 +1685,7 @@ voip mls(argc, argv)
{
sig_t oldintr;
int ointer, i;
- char *volatile cmd, rmode[1], *dest;
+ char *volatile cmd, rmode[2], *dest;

if (argc < 2 && !another(&argc, &argv, "remote-files"))
goto usage;
@@ -1709,7 +1709,8 @@ usage:
oldintr = signal(SIGINT, mabort);
(void) setjmp(jabort);
for (i = 1; mflag && i < argc-1; ++i) {
- *rmode = (i == 1) ? 'w' : 'a';
+ rmode[0] = (i == 1) ? 'w' : 'a';
+ rmode[1] = 0;
recvrequest(cmd, dest, argv[i], rmode, 0, 0);
if (!mflag && fromatty) {
ointer = interactive;
From: ghudson@mit.edu
Subject: SVN Commit

Ensure termination of file mode in gssftps' mls

Depending on stack contents, mls or mdir could sporadically fail due
to an unterminated file mode argument. Patch from Siddhesh Poyarekar
via nalin@redhat.com.


Commit By: ghudson
Revision: 3330
Changed Files:
U trunk/gssftp/ftp/cmds.c