From cperon@staff.seccuris.com  Sat Aug 31 19:07:29 2002
Return-Path: <cperon@staff.seccuris.com>
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C11FE37B401
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 31 Aug 2002 19:07:29 -0700 (PDT)
Received: from staff.seccuris.com (staff.seccuris.com [204.112.0.40])
	by mx1.FreeBSD.org (Postfix) with SMTP id 3058E43E65
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 31 Aug 2002 19:07:29 -0700 (PDT)
	(envelope-from cperon@staff.seccuris.com)
Received: (qmail 6026 invoked by uid 1006); 1 Sep 2002 02:30:18 -0000
Message-Id: <20020901023018.6025.qmail@staff.seccuris.com>
Date: 1 Sep 2002 02:30:18 -0000
From: Chris S.J.Peron <maneo@bsdpro.com>
Reply-To: Chris S.J.Peron <maneo@bsdpro.com>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [patch] sftp coredump if file specified by put/get args does not exist
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         42275
>Category:       bin
>Synopsis:       [patch] sftp coredump if file specified by put/get args does not exist
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    roam
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Aug 31 19:10:01 PDT 2002
>Closed-Date:    Mon Nov 03 05:58:00 PST 2003
>Last-Modified:  Mon Nov 03 05:58:00 PST 2003
>Originator:     Chris S.J. Peron
>Release:        FreeBSD 4.6.2-RELEASE i386
>Organization:
Seccuris Inc
>Environment:
System: FreeBSD staff.seccuris.com 4.6.2-RELEASE FreeBSD 4.6.2-RELEASE #1: Tue Aug 20 16:12:25 CDT 2002 cperon@staff.seccuris.com:/usr/src/sys/compile/opcode i386


	
>Description:

	The sftp put/get commands are implemented by the process_put()
	and process_get() routines defined in the sftp-int.c source file.
	
	These functions subsequently use glob(3) to populate gl_pathv
	which contains a pointer to a NULL-terminated list of matched
	pathnames.

	However, if gl_pathc is zero, the contents of gl_pathv are undefined.
	Because process_put{get} do not use proper error checking, IF
	the requested file does not exist, sftp will drop a core and
	die horribly.
	
>How-To-Repeat:

% sftp cperon@xor
Connecting to xor...
Password:
sftp> get blahblahblah
Couldn't stat remote file: No such file or directory
Segmentation fault (core dumped)
%

Likewise for ``put''

% sftp cperon@xor
Connecting to xor...
Password:
sftp> put poopoop
Segmentation fault (core dumped)
%

>Fix:


--- /usr/src/crypto/openssh/sftp-int.c.broken	Sat Aug 31 20:57:33 2002
+++ /usr/src/crypto/openssh/sftp-int.c	Sat Aug 31 21:01:34 2002
@@ -367,6 +367,10 @@
 		goto out;
 	}
 
+	/* Check to make sure that the file(s) exists. */
+	if (g.gl_pathv == '\0')
+		goto out;
+
 	/* Only one match, dst may be file, directory or unspecified */
 	if (g.gl_pathv[0] && g.gl_matchc == 1) {
 		if (dst) {
@@ -446,6 +450,13 @@
 		goto out;
 	}
 
+	/* Check to make sure the file(s) exists. */
+	if (g.gl_pathv == '\0') {
+		error("File \"%s\" not found.", src);
+		err = -1;
+		goto out;
+	}
+ 
 	/* Only one match, dst may be file, directory or unspecified */
 	if (g.gl_pathv[0] && g.gl_matchc == 1) {
 		if (tmp_dst) {
	


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->analyzed 
State-Changed-By: roam 
State-Changed-When: Sun Sep 1 03:56:02 PDT 2002 
State-Changed-Why:  
Arrgh - I thought we had tackled this one a couple of months ago :) 
Apparently, either the glob(3) interface changed again, or sftp(1) 
changed again.. 


Responsible-Changed-From-To: freebsd-bugs->roam 
Responsible-Changed-By: roam 
Responsible-Changed-When: Sun Sep 1 03:56:02 PDT 2002 
Responsible-Changed-Why:  
I took care of this the last time it popped up, I'll take a look now. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=42275 
State-Changed-From-To: analyzed->feedback 
State-Changed-By: roam 
State-Changed-When: Fri Oct 31 09:27:26 PST 2003 
State-Changed-Why:  
Is this still a problem after the OpenSSH 3.x imports? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=42275 
State-Changed-From-To: feedback->closed 
State-Changed-By: roam 
State-Changed-When: Mon Nov 3 05:54:55 PST 2003 
State-Changed-Why:  
Submitter agrees that this was fixed by the OpenSSH 3.x imports. 
Thanks for trying to improve FreeBSD by reporting this problem! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=42275 
>Unformatted:
