From nobody@FreeBSD.org  Thu Jan 10 11:39:17 2002
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 79B9637B404
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 10 Jan 2002 11:39:15 -0800 (PST)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g0AJdFc10108;
	Thu, 10 Jan 2002 11:39:15 -0800 (PST)
	(envelope-from nobody)
Message-Id: <200201101939.g0AJdFc10108@freefall.freebsd.org>
Date: Thu, 10 Jan 2002 11:39:15 -0800 (PST)
From: Vladislav Shabanov <vs@rambler-co.ru>
To: freebsd-gnats-submit@FreeBSD.org
Subject: ftpd performs an infinite loop after sending >4Gb file via sendfile
X-Send-Pr-Version: www-1.0

>Number:         33770
>Category:       bin
>Synopsis:       ftpd performs an infinite loop after sending >4Gb file via sendfile
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    maxim
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jan 10 11:40:01 PST 2002
>Closed-Date:    Fri Mar 15 00:48:30 PST 2002
>Last-Modified:  Fri Mar 15 00:48:30 PST 2002
>Originator:     Vladislav Shabanov
>Release:        RELENG_4
>Organization:
Rambler
>Environment:
FreeBSD index2.park.rambler.ru 4.4-RC FreeBSD 4.4-RC #2: Mon Oct  1 14:27:56 MSD
 2001     root@index2.park.rambler.ru:/usr/src/sys/compile/INDEX2  i386      
>Description:
When ftpd sends a large file it hungs up.
The file sent seems to be good (no corruption), but its impossible
to retreive next one or do something else with this ftpd.

This occures because 

size_t len;
...

off_t filesize;

len = filesize; /* len < filesize if filesize > 4 Gb */
sendfile ( ... , len, &cnt, ...)

len -= cnt; /* len will be zero */

after second call to sendfile ( ... , len, &cnt, ...)
system will send the tail of the file, and we have
an infinite loop because always (cnt < filesize)


>How-To-Repeat:
dd if=/dev/zero of=./mylargefile bs=1M count=8192
fetch -o /dev/null ftp://me:mypassword@127.0.0.1/....mylargefile

fetch will retrieve all file but it will infinitely wait for ftpd to
send a reply(226, "Transfer complete.");

>Fix:
--- ftpd.c-old  Tue Aug 21 18:14:38 2001
+++ ftpd.c      Thu Jan 10 22:10:41 2002
@@ -1753,12 +1753,12 @@
                        len = filesize;
                        err = cnt = offset = 0;

-                       while (err != -1 && cnt < filesize) {
-                               err = sendfile(filefd, netfd, offset, len,
+                       while (err != -1 && filesize > 0) {
+                               err = sendfile(filefd, netfd, offset, 0,
                                        (struct sf_hdtr *) NULL, &cnt, 0);
                                byte_count += cnt;
                                offset += cnt;
-                               len -= cnt;
+                               filesize -= cnt;

                                if (err == -1) {
                                        if (!cnt)      
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->analyzed 
State-Changed-By: maxim 
State-Changed-When: Wed Feb 13 01:00:20 PST 2002 
State-Changed-Why:  
Fixed in -current, thanks. 


Responsible-Changed-From-To: freebsd-bugs->maxim 
Responsible-Changed-By: maxim 
Responsible-Changed-When: Wed Feb 13 01:00:20 PST 2002 
Responsible-Changed-Why:  
I will MFC the fix. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=33770 
State-Changed-From-To: analyzed->closed 
State-Changed-By: maxim 
State-Changed-When: Fri Mar 15 00:47:15 PST 2002 
State-Changed-Why:  
Fixed in libexec/ftpd/ftpd.c rev. 1.98 and rev. 1.62.2.19 in -current 
and -stable. Thanks for the patch. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=33770 
>Unformatted:
