From nobody@FreeBSD.org  Sun Jul 15 08:59:38 2001
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id D3CCD37B401
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 15 Jul 2001 08:59:28 -0700 (PDT)
	(envelope-from nobody@FreeBSD.org)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.4/8.11.4) id f6FFxS383951;
	Sun, 15 Jul 2001 08:59:28 -0700 (PDT)
	(envelope-from nobody)
Message-Id: <200107151559.f6FFxS383951@freefall.freebsd.org>
Date: Sun, 15 Jul 2001 08:59:28 -0700 (PDT)
From: SASAKI Taroh <taroh@taroh.org>
To: freebsd-gnats-submit@FreeBSD.org
Subject: ftp(1) has stack overflow when "mget *", etc.
X-Send-Pr-Version: www-1.0

>Number:         28990
>Category:       bin
>Synopsis:       ftp(1) has stack overflow when "mget *", etc.
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    mikeh
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jul 15 09:00:01 PDT 2001
>Closed-Date:    Mon Oct 1 22:35:47 PDT 2001
>Last-Modified:  Mon Oct 01 22:36:02 PDT 2001
>Originator:     SASAKI Taroh
>Release:        4.3-20010713-STABLE
>Organization:
kanagawa university
>Environment:
FreeBSD ns1.taroh.org 4.3-20010713-STABLE FreeBSD 4.3-20010713-STABLE #0: Sat Jul 14 15:46:29 JST 2001     root@ns1.taroh.org:/local.ground/usr_src/sys/compile/ns1  i386

>Description:
my stack protector (http://www.trl.ibm.com/projects/security/ssp/) detected
illegal stack access in ftp(1) client in util.c in /usr/src/usr.bin/ftp/util.c .
this appears when the client issures NLST command to the remote.

>How-To-Repeat:
compile ftp(1) with stack protector and do "mget *" in any remote hosts.

>Fix:
*** usr/src/usr.bin/ftp/util.c  Mon Jul 16 00:45:11 2001
--- usr/src/usr.bin/ftp/util.c.org      Mon Jul 16 00:37:57 2001
***************
*** 371,377 ****
                  hash = 0;
                  if (doswitch)
                          pswitch(!proxy);
!                 for (mode = "w", ++argv; *argv != NULL; argv++, mode = "a")
                          recvrequest("NLST", temp, *argv, mode, 0, 0);
                if ((code / 100) != COMPLETE) {
                        if (errbuf != NULL)
--- 371,377 ----
                  hash = 0;
                  if (doswitch)
                          pswitch(!proxy);
!                 for (mode = "w"; *++argv != NULL; mode = "a")
                          recvrequest("NLST", temp, *argv, mode, 0, 0);
                if ((code / 100) != COMPLETE) {
                        if (errbuf != NULL)

>Release-Note:
>Audit-Trail:

From: Chris Faulhaber <jedgar@fxp.org>
To: SASAKI Taroh <taroh@taroh.org>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: bin/28990: ftp(1) has stack overflow when "mget *", etc.
Date: Sun, 15 Jul 2001 13:23:58 -0400

 --d6Gm4EdcadzBjdND
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 On Sun, Jul 15, 2001 at 08:59:28AM -0700, SASAKI Taroh wrote:
 >=20
 > >Fix:
 > *** usr/src/usr.bin/ftp/util.c  Mon Jul 16 00:45:11 2001
 > --- usr/src/usr.bin/ftp/util.c.org      Mon Jul 16 00:37:57 2001
 > ***************
 > *** 371,377 ****
 >                   hash =3D 0;
 >                   if (doswitch)
 >                           pswitch(!proxy);
 > !                 for (mode =3D "w", ++argv; *argv !=3D NULL; argv++, mod=
 e =3D "a")
 
 I don't seem to be able to locate this piece of code in util.c.
 According to cvsweb, the 'fix' has been in the tree since rev 1.1.
 
 >                           recvrequest("NLST", temp, *argv, mode, 0, 0);
 >                 if ((code / 100) !=3D COMPLETE) {
 >                         if (errbuf !=3D NULL)
 > --- 371,377 ----
 >                   hash =3D 0;
 >                   if (doswitch)
 >                           pswitch(!proxy);
 > !                 for (mode =3D "w"; *++argv !=3D NULL; mode =3D "a")
 >                           recvrequest("NLST", temp, *argv, mode, 0, 0);
 >                 if ((code / 100) !=3D COMPLETE) {
 >                         if (errbuf !=3D NULL)
 >=20
 
 --=20
 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org
 --------------------------------------------------------
 FreeBSD: The Power To Serve   -   http://www.FreeBSD.org
 
 --d6Gm4EdcadzBjdND
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.0.6 (FreeBSD)
 Comment: FreeBSD: The Power To Serve
 
 iEYEARECAAYFAjtR0a0ACgkQObaG4P6BelDHmwCfS45EvlnpASupM2PImQb90eIx
 3a4AoKHtet5hp29yUngX6CToaiB1ZhPG
 =IpgH
 -----END PGP SIGNATURE-----
 
 --d6Gm4EdcadzBjdND--

From: SASAKI Taroh <taroh@taroh.org>
To: Chris Faulhaber <jedgar@fxp.org>
Cc: SASAKI Taroh <taroh@taroh.org>, freebsd-gnats-submit@FreeBSD.org
Subject: Re: bin/28990: ftp(1) has stack overflow when "mget *", etc.
Date: Mon, 16 Jul 2001 03:34:40 +0900

 hi,
 
 At Sun, 15 Jul 2001 13:23:58 -0400,
 Chris Faulhaber <jedgar@fxp.org> wrote:
 
 > > !                 for (mode = "w", ++argv; *argv != NULL; argv++, mode = "a")
 (snip)
 > > !                 for (mode = "w"; *++argv != NULL; mode = "a")
 
 > I don't seem to be able to locate this piece of code in util.c.
 > According to cvsweb, the 'fix' has been in the tree since rev 1.1.
 
 	sorry, my mistake.
 	that's because the diff arguments are in reverse order
 	(diff NEW OLD):
 
 > > *** usr/src/usr.bin/ftp/util.c  Mon Jul 16 00:45:11 2001
 > > --- usr/src/usr.bin/ftp/util.c.org      Mon Jul 16 00:37:57 2001
 
 thanks,
 
 * Please don't attach any application dependent (e.g. MS-Excel or Word)
   file. I'll NEVER open it for the sake of protecting the network.
 
 --- SASAKI, Taroh         | When you go on this road, never be anxious.|
     mailto:taroh@taroh.org|               If you fear, there's no road.|
     http://www.taroh.org/ | ???         If you step, that'll be a road.|
     phone://81/908/50/76728  %   Go, don't be hesitate.  You will know.|
     icq:19785633          |  **********  ***      --- Ikkyu, the Bonze |
     address:jp/221/0005/4/541/1/203A  **** ----------------------------+
     global:/wgs84/n35/30/06.9/e139/38/14.6/h29
     pgpfingerprint:4C/6A/E6/0E/D5/A1/DA/AC/54/8F/94/E9/E3/F2/9C/08

From: Mike Heffner <mheffner@novacoxmail.com>
To: SASAKI Taroh <taroh@taroh.org>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: RE: bin/28990: ftp(1) has stack overflow when "mget *", etc.
Date: Sun, 15 Jul 2001 16:20:23 -0400 (EDT)

 On 15-Jul-2001 SASAKI Taroh wrote:
 | 
 |>Fix:
 | *** usr/src/usr.bin/ftp/util.c  Mon Jul 16 00:45:11 2001
 | --- usr/src/usr.bin/ftp/util.c.org      Mon Jul 16 00:37:57 2001
 | ***************
 | *** 371,377 ****
 |                   hash = 0;
 |                   if (doswitch)
 |                           pswitch(!proxy);
 | !                 for (mode = "w", ++argv; *argv != NULL; argv++, mode = "a")
 |                           recvrequest("NLST", temp, *argv, mode, 0, 0);
 |                 if ((code / 100) != COMPLETE) {
 |                         if (errbuf != NULL)
 | --- 371,377 ----
 |                   hash = 0;
 |                   if (doswitch)
 |                           pswitch(!proxy);
 | !                 for (mode = "w"; *++argv != NULL; mode = "a")
 |                           recvrequest("NLST", temp, *argv, mode, 0, 0);
 |                 if ((code / 100) != COMPLETE) {
 |                         if (errbuf != NULL)
 
 Now that I look at this more, this change is nil, there is no change in
 behavior. What exactly is the 'illegal stack access' that your program is
 detecting and where is it occuring?
 
 Mike
 
 -- 
   Mike Heffner         <mheffner@[acm.]vt.edu>
   Fredericksburg, VA       <mikeh@FreeBSD.org>
 
State-Changed-From-To: open->feedback 
State-Changed-By: mikeh 
State-Changed-When: Thu Jul 19 19:28:28 PDT 2001 
State-Changed-Why:  
Waiting for reply from originator. 


Responsible-Changed-From-To: freebsd-bugs->mikeh 
Responsible-Changed-By: mikeh 
Responsible-Changed-When: Thu Jul 19 19:28:28 PDT 2001 
Responsible-Changed-Why:  
I'll take this. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=28990 
State-Changed-From-To: feedback->closed 
State-Changed-By: mikeh 
State-Changed-When: Mon Oct 1 22:35:47 PDT 2001 
State-Changed-Why:  
Feedback timeout. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=28990 
>Unformatted:
