From nobody@FreeBSD.org  Tue Jul 11 14:19:49 2006
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D296B16A4E1
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 11 Jul 2006 14:19:49 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 66C3743D66
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 11 Jul 2006 14:19:49 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k6BEJnU6094574
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 11 Jul 2006 14:19:49 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id k6BEJmWx094573;
	Tue, 11 Jul 2006 14:19:48 GMT
	(envelope-from nobody)
Message-Id: <200607111419.k6BEJmWx094573@www.freebsd.org>
Date: Tue, 11 Jul 2006 14:19:48 GMT
From: Roel <roel@roeltje.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: default ftp application of FreeBSD gives segmentation fault
X-Send-Pr-Version: www-2.3

>Number:         100089
>Category:       bin
>Synopsis:       [patch] ftp(1): default ftp application of FreeBSD gives segmentation fault
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    brucec
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jul 11 14:20:12 GMT 2006
>Closed-Date:    Sat Mar 05 04:19:06 UTC 2011
>Last-Modified:  Sat Mar  5 04:20:21 UTC 2011
>Originator:     Roel
>Release:        5.4-RELEASE and 5.3-RELEASE
>Organization:
roeltje.com
>Environment:
FreeBSD roeltje.com 5.4-RELEASE FreeBSD 5.4-RELEASE #0: Sun Nov 27 13:57:21 CET 2005     roel@roeltje.com:/usr/src/sys/i386/compile/DUST  i386

FreeBSD FreeBSD.Generaal.net 5.3-RELEASE FreeBSD 5.3-RELEASE #0: Wed Dec  1 16:31:46 UTC 2004     root@FreeBSD.Generaal.net:/usr/src/sys/i386/compile/GENERAAL  i386

>Description:
I accidentily forgot the "grep" when showing the processes (ps -aux), and then the ftp application crashed.

I could reproduce the error everytime, when I do the following:

$ps -aux | ftp

normaly I would do the following:
$ps -aux | grep ftp

but without the grep you will get the following:
?Invalid command.
?Invalid command.
?Invalid command.
?Invalid command.
...(etc.)
?Invalid command.
?Invalid command.
?Invalid command.
?Invalid command.
?Invalid command.
Segmentation fault (core dumped) <=== Crash!

I guess this could be pretty useful for some exploit. 

>How-To-Repeat:
$ps -aux | ftp
>Fix:
Somewhere in the code of the client application of ftp I guess
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-i386->freebsd-bin 
Responsible-Changed-By: remko 
Responsible-Changed-When: Mon Jul 17 20:38:22 UTC 2006 
Responsible-Changed-Why:  
Reassign to the BIN category, this is not a security issue in our eyes 
(secteam) but might be a bug in the FTP application. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=100089 
Responsible-Changed-From-To: freebsd-bin->freebsd-bugs 
Responsible-Changed-By: remko 
Responsible-Changed-When: Mon Jul 17 20:39:37 UTC 2006 
Responsible-Changed-Why:  
Correct assignee 

http://www.freebsd.org/cgi/query-pr.cgi?pr=100089 

From: Bruce Cran <bruce@cran.org.uk>
To: bug-followup@FreeBSD.org, roel@roeltje.com
Cc:  
Subject: Re: bin/100089: ftp(1): default ftp application of FreeBSD gives
 segmentation fault
Date: Sun, 04 May 2008 15:13:16 +0100

 I can't reproduce the problem here but I suspect it depends very much on 
 the applications which are running on the system: ftp is trying to 
 interpret each line in 'ps -aux' as a command.  If you can reproduce the 
 segfault could you post the output of 'ps -aux' so we can see what 
 commands ftp is being given?
 
 -- 
 Bruce
State-Changed-From-To: open->feedback 
State-Changed-By: linimon 
State-Changed-When: Sun May 4 18:03:51 UTC 2008 
State-Changed-Why:  
Note that submitter has been asked for feedback. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=100089 

From: Bruce Cran <bruce@cran.org.uk>
To: bug-followup@FreeBSD.org, Roel Verdult <roel@roeltje.com>
Cc:  
Subject: Re: bin/100089: ftp(1): default ftp application of FreeBSD gives
 segmentation fault
Date: Mon, 05 May 2008 18:42:19 +0100

 The problem occurs when the user is running named: one of the lines in 
 'ps -aux' begins with "bind" (since named runs under the username 
 'bind'), which libedit interprets as a command.  The same problem can be 
 seen just by running
 
  > echo bind | ftp
 
 The problem occurs because editline is only intialized if an interactive 
 tty is being used. Otherwise, the controlediting function in util.c 
 skips all the intializing calls.  However, later on cmdscanner is called 
 which attempts to run el_parse on unknown commands.  'el' is NULL and 
 causes a segfault when it's dereferenced in map_bind (map.c:1261).  The 
 fix is to prevent cmdscanner calling el_parse if 'editing' is 0.
 
 -- 
 Bruce
State-Changed-From-To: feedback->analyzed 
State-Changed-By: linimon 
State-Changed-When: Mon May 5 18:02:05 UTC 2008 
State-Changed-Why:  
Problem confirmed, and a solution has been proposed. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=100089 

From: Bruce Cran <bruce@cran.org.uk>
To: bug-followup@FreeBSD.org, Roel Verdult <roel@roeltje.com>
Cc:  
Subject: Re: bin/100089: ftp(1): default ftp application of FreeBSD gives
 segmentation fault
Date: Tue, 06 May 2008 00:09:06 +0100

 This issue was entered into the NetBSD PR system as bin/38589 and has 
 now been fixed in their repository:
 
 Module Name:	src
   Committed By:	lukem
   Date:		Mon May  5 22:54:11 UTC 2008
 
   Modified Files:
   	src/usr.bin/ftp: main.c version.h
 
   Log Message:
   Only attempt to el_parse() a command unknown by the default parser
   if editing is enabled.
   Fixes PR bin/38589
 
 
 The fix still needs to be merged to FreeBSD.
 
 -- 
 Bruce

From: bruce@cran.org.uk
To: bug-followup@freebsd.org
Cc:  
Subject: Re: bin/100089: ftp(1): default ftp application of FreeBSD gives segmentation fault
Date: Mon, 14 Jul 2008 12:16:53 +0100

 --ReaqsoxgOBHFXBhH
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 The attached patch should fix the bug on FreeBSD.
 
 -- 
 Bruce Cran
 
 --ReaqsoxgOBHFXBhH
 Content-Type: text/x-diff; charset=us-ascii
 Content-Disposition: attachment; filename="main.c.diff"
 
 --- /usr/src/contrib/lukemftp/src/main.c	2005-05-17 04:11:28.000000000 +0100
 +++ main.c	2008-07-14 12:08:29.000000000 +0100
 @@ -707,6 +707,7 @@
  			 * such commands as invalid.
  			 */
  			if (strchr(margv[0], ':') != NULL ||
 +			    !editing || 
  			    el_parse(el, margc, (const char **)margv) != 0)
  #endif /* !NO_EDITCOMPLETE */
  				fputs("?Invalid command.\n", ttyout);
 
 --ReaqsoxgOBHFXBhH--
State-Changed-From-To: analyzed->patched 
State-Changed-By: brucec 
State-Changed-When: Sun Feb 27 10:15:38 UTC 2011 
State-Changed-Why:  
Fixed in HEAD. 


Responsible-Changed-From-To: freebsd-bugs->brucec 
Responsible-Changed-By: brucec 
Responsible-Changed-When: Sun Feb 27 10:15:38 UTC 2011 
Responsible-Changed-Why:  
Take. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=100089 
State-Changed-From-To: patched->closed 
State-Changed-By: brucec 
State-Changed-When: Sat Mar 5 04:18:48 UTC 2011 
State-Changed-Why:  
Merged to stable/7 and stable/8. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=100089 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/100089: commit references a PR
Date: Sat,  5 Mar 2011 04:16:01 +0000 (UTC)

 Author: brucec
 Date: Sat Mar  5 04:15:46 2011
 New Revision: 219297
 URL: http://svn.freebsd.org/changeset/base/219297
 
 Log:
   MFC r219081:
   
   Merge fix from r1.108 of NetBSD's usr.bin/ftp/main.c:
   
   Only attempt to el_parse() a command unknown by the default parser
   if editing is enabled.
   
   PR:           bin/100089
 
 Modified:
   stable/8/contrib/lukemftp/src/main.c
 Directory Properties:
   stable/8/contrib/lukemftp/   (props changed)
 
 Modified: stable/8/contrib/lukemftp/src/main.c
 ==============================================================================
 --- stable/8/contrib/lukemftp/src/main.c	Sat Mar  5 04:11:06 2011	(r219296)
 +++ stable/8/contrib/lukemftp/src/main.c	Sat Mar  5 04:15:46 2011	(r219297)
 @@ -707,6 +707,7 @@ cmdscanner(void)
  			 * such commands as invalid.
  			 */
  			if (strchr(margv[0], ':') != NULL ||
 +			    !editing ||
  			    el_parse(el, margc, (const char **)margv) != 0)
  #endif /* !NO_EDITCOMPLETE */
  				fputs("?Invalid command.\n", ttyout);
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/100089: commit references a PR
Date: Sat,  5 Mar 2011 04:18:49 +0000 (UTC)

 Author: brucec
 Date: Sat Mar  5 04:18:29 2011
 New Revision: 219298
 URL: http://svn.freebsd.org/changeset/base/219298
 
 Log:
   MFC r219081:
   
   Merge fix from r1.108 of NetBSD's usr.bin/ftp/main.c:
   
   Only attempt to el_parse() a command unknown by the default parser
   if editing is enabled.
   
   PR:           bin/100089
 
 Modified:
   stable/7/contrib/lukemftp/src/main.c
 Directory Properties:
   stable/7/contrib/lukemftp/   (props changed)
 
 Modified: stable/7/contrib/lukemftp/src/main.c
 ==============================================================================
 --- stable/7/contrib/lukemftp/src/main.c	Sat Mar  5 04:15:46 2011	(r219297)
 +++ stable/7/contrib/lukemftp/src/main.c	Sat Mar  5 04:18:29 2011	(r219298)
 @@ -707,6 +707,7 @@ cmdscanner(void)
  			 * such commands as invalid.
  			 */
  			if (strchr(margv[0], ':') != NULL ||
 +			    !editing ||
  			    el_parse(el, margc, (const char **)margv) != 0)
  #endif /* !NO_EDITCOMPLETE */
  				fputs("?Invalid command.\n", ttyout);
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
