[2970] in Kerberos-V5-bugs
krb5-appl/633: gssftp client mput command can cause segfault
daemon@ATHENA.MIT.EDU (vwelch@ncsa.uiuc.edu)
Fri Sep 18 18:12:01 1998
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@RT-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, vwelch@ncsa.uiuc.edu
Date: Fri, 18 Sep 1998 17:03:23 -0500
From: vwelch@ncsa.uiuc.edu
Reply-To: vwelch@ncsa.uiuc.edu
To: krb5-bugs@MIT.EDU
Cc: vwelch@ncsa.uiuc.edu
>Number: 633
>Category: krb5-appl
>Synopsis: gssftp client mput command can cause segfault
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Fri Sep 18 18:05:00 EDT 1998
>Last-Modified:
>Originator:
>Organization:
------------------------------------------------------------------------
Von Welch Senior Network Engineer vwelch@ncsa.uiuc.edu
National Center for Supercomputing Applications
------------------------------------------------------------------------
>Release: krb5-1.0.5
>Environment:
System: Linux computer.ncsa.uiuc.edu 2.0.32 #4 Mon Apr 20 09:38:29 CDT 1998 i686 unknown
Architecture: i686
>Description:
If you run the gssftp client and do an mput and any of the arguments
to the mput do not get globb'ed (i.e. there are no wildcards) this
will cause a segment fault because memory is free()'ed that shouldn't
be. If the arguments are globbed this will not happen.
>How-To-Repeat:
$ touch file
$ ftp pecos
Connected to pecos.ncsa.uiuc.edu.
220 pecos.ncsa.uiuc.edu FTP server (Version 5.60) ready.
334 Using authentication type GSSAPI; ADAT must follow
GSSAPI accepted as authentication type
GSSAPI authentication succeeded
Name (pecos:vwelch):
232 GSSAPI user vwelch@NCSA.EDU is authorized as vwelch
230 User vwelch logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> mput file
mput file? y
227 Entering Passive Mode (141,142,4,6,159,245)
150 Opening BINARY mode data connection for file.
226 Transfer complete.
Segmentation fault
>Fix:
This is because the ftpglob() simplies copies the given filename
pointer if it does not do any globbing instead of allocating a new
string. Later in the blkfree() call this copied pointer is free()'ed
with above results.
The following patch makes a copy of the string if it is not globbed.
Index: glob.c
===================================================================
RCS file: /afs/ncsa/src/kerberos/NRL_CVSROOT/krb5/appl/gssftp/ftp/glob.c,v
retrieving revision 1.1.1.1
diff -c -r1.1.1.1 glob.c
*** glob.c 1997/06/02 21:54:20 1.1.1.1
--- glob.c 1998/09/18 21:50:01
***************
*** 104,111 ****
vv[1] = 0;
gflag = 0;
rscan(vv, tglob);
! if (gflag == 0)
return (copyblk(vv));
globerr = 0;
gpath = agpath; gpathp = gpath; *gpathp = 0;
--- 104,122 ----
vv[1] = 0;
gflag = 0;
rscan(vv, tglob);
! if (gflag == 0) {
! /*
! * If we don't do any expansion then we need to
! * make a copy of v since blkfree() will try to
! * free it.
! */
! vv[0] = strdup(v);
! if (vv[0] == NULL) {
! globerr = "Out of memory";
! return NULL;
! }
return (copyblk(vv));
+ }
globerr = 0;
gpath = agpath; gpathp = gpath; *gpathp = 0;
>Audit-Trail:
>Unformatted:
