From david@lab.polymorf.fr  Mon Mar 15 12:37:02 2010
Return-Path: <david@lab.polymorf.fr>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 644A01065673
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 15 Mar 2010 12:37:02 +0000 (UTC)
	(envelope-from david@lab.polymorf.fr)
Received: from lab.polymorf.fr (lab.polymorf.fr [188.40.66.189])
	by mx1.freebsd.org (Postfix) with ESMTP id B82AE8FC0A
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 15 Mar 2010 12:37:01 +0000 (UTC)
Received: from lab.polymorf.fr (localhost [127.0.0.1])
	by lab.polymorf.fr (8.14.3/8.14.3) with ESMTP id o2FC8KCk053819;
	Mon, 15 Mar 2010 12:08:21 GMT
	(envelope-from david@lab.polymorf.fr)
Received: (from david@localhost)
	by lab.polymorf.fr (8.14.3/8.14.3/Submit) id o2FC8Kxb053818;
	Mon, 15 Mar 2010 12:08:20 GMT
	(envelope-from david)
Message-Id: <201003151208.o2FC8Kxb053818@lab.polymorf.fr>
Date: Mon, 15 Mar 2010 12:08:20 GMT
From: David BERARD <contact@davidberard.fr>
Reply-To: David BERARD <contact@davidberard.fr>
To: FreeBSD-gnats-submit@freebsd.org
Cc: laurent@sintes.org
Subject: FTPD bug remote crash
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         144761
>Category:       bin
>Synopsis:       FTPD bug remote crash
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    delphij
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Mar 15 12:40:07 UTC 2010
>Closed-Date:    Thu Apr 01 00:39:09 UTC 2010
>Last-Modified:  Thu Apr  1 00:40:04 UTC 2010
>Originator:     David BERARD
>Release:        FreeBSD 8.0-RELEASE amd64
>Organization:
NFrance Conseil
>Environment:
System: FreeBSD lab.polymorf.fr 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:02:08 UTC 2009 root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64

>Description:
FTPD child process can die with signal 11, bug found by Kingcope
	kernel: pid 46033 (ftpd), uid 1001: exited on signal 11
References :
	http://seclists.org/fulldisclosure/2010/Mar/117
	http://seclists.org/fulldisclosure/2010/Mar/138
	http://seclists.org/fulldisclosure/2010/Mar/139
>How-To-Repeat:
	ftp localhost
	[....login....]
	ftp> mkdir WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW
	ftp> ls {W*/../W*/../W*/../W*/../W*/../W*/../W*/}
	[....Server close connection....]
>Fix:

See the attached patch, should fix issue

--- ftpd_popen.patch begins here ---
--- /usr/src/libexec/ftpd/popen.c	2009-10-25 01:10:29.000000000 +0000
+++ /usr/src/libexec/ftpd/popen.c	2010-03-13 08:03:24.000000000 +0000
@@ -108,7 +108,7 @@
 		memset(&gl, 0, sizeof(gl));
 		gl.gl_matchc = MAXGLOBARGS;
 		flags |= GLOB_LIMIT;
-		if (glob(argv[argc], flags, NULL, &gl))
+		if (glob(argv[argc], flags, NULL, &gl) || gl.gl_pathc == 0)
 			gargv[gargc++] = strdup(argv[argc]);
 		else
 			for (pop = gl.gl_pathv; *pop && gargc < (MAXGLOBARGS-1);
--- ftpd_popen.patch ends here ---


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-standards->freebsd-bugs 
Responsible-Changed-By: gavin 
Responsible-Changed-When: Sat Mar 20 14:48:34 UTC 2010 
Responsible-Changed-Why:  
Not a PR for standards@ 

http://www.freebsd.org/cgi/query-pr.cgi?pr=144761 

From: Bruce Cran <bruce@cran.org.uk>
To: bug-followup@freebsd.org,
 contact@davidberard.fr
Cc:  
Subject: Re: bin/144761: FTPD bug remote crash
Date: Sat, 20 Mar 2010 22:51:45 +0000

 This has been fixed in the NetBSD repository - see http://www.netbsd.org/cgi-
 bin/query-pr-single.pl?number=43023
 
 -- 
 Bruce Cran
State-Changed-From-To: open->patched 
State-Changed-By: delphij 
State-Changed-When: Thu Mar 25 22:41:11 UTC 2010 
State-Changed-Why:  
Patch from OpenBSD applied, thanks for bringing this to our 
attention! 


Responsible-Changed-From-To: freebsd-bugs->delphij 
Responsible-Changed-By: delphij 
Responsible-Changed-When: Thu Mar 25 22:41:11 UTC 2010 
Responsible-Changed-Why:  
Take since I have patched this issue. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=144761 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/144761: commit references a PR
Date: Thu, 25 Mar 2010 22:41:11 +0000 (UTC)

 Author: delphij
 Date: Thu Mar 25 22:41:01 2010
 New Revision: 205656
 URL: http://svn.freebsd.org/changeset/base/205656
 
 Log:
   Check that gl_pathc is bigger than zero before derefencing gl_pathv.
   When gl_pathc == 0, the content of gl_pathv is undefined.
   
   PR:		bin/144761
   Submitted by:	David BERARD <contact davidberard fr>
   Obtained from:	OpenBSD
   MFC after:	1 week
 
 Modified:
   head/libexec/ftpd/popen.c
 
 Modified: head/libexec/ftpd/popen.c
 ==============================================================================
 --- head/libexec/ftpd/popen.c	Thu Mar 25 20:07:30 2010	(r205655)
 +++ head/libexec/ftpd/popen.c	Thu Mar 25 22:41:01 2010	(r205656)
 @@ -110,10 +110,11 @@ ftpd_popen(char *program, char *type)
  		flags |= GLOB_LIMIT;
  		if (glob(argv[argc], flags, NULL, &gl))
  			gargv[gargc++] = strdup(argv[argc]);
 -		else
 +		else if (gl.gl_pathc > 0) {
  			for (pop = gl.gl_pathv; *pop && gargc < (MAXGLOBARGS-1);
  			     pop++)
  				gargv[gargc++] = strdup(*pop);
 +		}
  		globfree(&gl);
  	}
  	gargv[gargc] = NULL;
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: delphij 
State-Changed-When: Thu Apr 1 00:38:53 UTC 2010 
State-Changed-Why:  
Fixed in {6,7.8}-STABLE. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=144761 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/144761: commit references a PR
Date: Thu,  1 Apr 2010 00:38:48 +0000 (UTC)

 Author: delphij
 Date: Thu Apr  1 00:38:38 2010
 New Revision: 206025
 URL: http://svn.freebsd.org/changeset/base/206025
 
 Log:
   MFC r205656:
   
   Check that gl_pathc is bigger than zero before derefencing gl_pathv.
   When gl_pathc == 0, the content of gl_pathv is undefined.
   
   PR:		bin/144761
   Submitted by:	David BERARD <contact davidberard fr>
   Obtained from:	OpenBSD
 
 Modified:
   stable/8/libexec/ftpd/popen.c
 Directory Properties:
   stable/8/libexec/ftpd/   (props changed)
 
 Changes in other areas also in this revision:
 Modified:
   stable/6/libexec/ftpd/popen.c
   stable/7/libexec/ftpd/popen.c
 Directory Properties:
   stable/6/libexec/ftpd/   (props changed)
   stable/7/libexec/ftpd/   (props changed)
 
 Modified: stable/8/libexec/ftpd/popen.c
 ==============================================================================
 --- stable/8/libexec/ftpd/popen.c	Thu Apr  1 00:36:40 2010	(r206024)
 +++ stable/8/libexec/ftpd/popen.c	Thu Apr  1 00:38:38 2010	(r206025)
 @@ -110,10 +110,11 @@ ftpd_popen(char *program, char *type)
  		flags |= GLOB_LIMIT;
  		if (glob(argv[argc], flags, NULL, &gl))
  			gargv[gargc++] = strdup(argv[argc]);
 -		else
 +		else if (gl.gl_pathc > 0) {
  			for (pop = gl.gl_pathv; *pop && gargc < (MAXGLOBARGS-1);
  			     pop++)
  				gargv[gargc++] = strdup(*pop);
 +		}
  		globfree(&gl);
  	}
  	gargv[gargc] = NULL;
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/144761: commit references a PR
Date: Thu,  1 Apr 2010 00:39:09 +0000 (UTC)

 Author: delphij
 Date: Thu Apr  1 00:38:38 2010
 New Revision: 206025
 URL: http://svn.freebsd.org/changeset/base/206025
 
 Log:
   MFC r205656:
   
   Check that gl_pathc is bigger than zero before derefencing gl_pathv.
   When gl_pathc == 0, the content of gl_pathv is undefined.
   
   PR:		bin/144761
   Submitted by:	David BERARD <contact davidberard fr>
   Obtained from:	OpenBSD
 
 Modified:
   stable/7/libexec/ftpd/popen.c
 Directory Properties:
   stable/7/libexec/ftpd/   (props changed)
 
 Changes in other areas also in this revision:
 Modified:
   stable/6/libexec/ftpd/popen.c
   stable/8/libexec/ftpd/popen.c
 Directory Properties:
   stable/6/libexec/ftpd/   (props changed)
   stable/8/libexec/ftpd/   (props changed)
 
 Modified: stable/7/libexec/ftpd/popen.c
 ==============================================================================
 --- stable/7/libexec/ftpd/popen.c	Thu Apr  1 00:36:40 2010	(r206024)
 +++ stable/7/libexec/ftpd/popen.c	Thu Apr  1 00:38:38 2010	(r206025)
 @@ -110,10 +110,11 @@ ftpd_popen(char *program, char *type)
  		flags |= GLOB_LIMIT;
  		if (glob(argv[argc], flags, NULL, &gl))
  			gargv[gargc++] = strdup(argv[argc]);
 -		else
 +		else if (gl.gl_pathc > 0) {
  			for (pop = gl.gl_pathv; *pop && gargc < (MAXGLOBARGS-1);
  			     pop++)
  				gargv[gargc++] = strdup(*pop);
 +		}
  		globfree(&gl);
  	}
  	gargv[gargc] = NULL;
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
