[4954] in Athena Bugs
ftp coredump on "mput" (from comp.bugs.4bsd)
daemon@ATHENA.MIT.EDU (Jonathan I. Kamens)
Sun May 20 13:07:02 1990
Date: Sun, 20 May 90 13:06:48 -0400
From: Jonathan I. Kamens <jik@pit-manager.MIT.EDU>
To: bugs@ATHENA.MIT.EDU
In article <53090@wlbr.IMSD.CONTEL.COM>, sms@wlv.imsd.contel.com (Steven
M. Schultz) writes:
|> Subject: Short summary of the problem
|> Index: ucb/ftp/glob.c 4.3BSD
|>
|> Description:
|> If an "mput" is done but the filename given does not have any
|> characters which would cause the "glob"ing to expand the name
|> then ftp can core dump in mput() after transferring the file.
|> Repeat-By:
|> ftp>open remotehost
|> ... login ...
|> ftp>mput filename_with_no_expansion_characters
|>
|> Fix:
|> THe problem arises because once again, ftp is free()'ing
|> something which was never malloc()'d. If glob() does not
|> expand the input file name into something other than the
|> string passed to it, a copy of the input pointer is returned.
|> This pointer may be in either the stack or data space of the
|> program and free()'ing it later may result in premature
|> program termination.
|>
|> Apply the patch below to glob.c and remake 'ftp'
|>
|>
|> *** glob.c.old Sun Jun 25 22:07:34 1989
|> --- glob.c Fri May 18 15:46:18 1990
|> ***************
|> *** 71,78 ****
|> vv[1] = 0;
|> gflag = 0;
|> rscan(vv, tglob);
|> ! if (gflag == 0)
|> return (copyblk(vv));
|>
|> globerr = 0;
|> gpath = agpath; gpathp = gpath; *gpathp = 0;
|> --- 71,81 ----
|> vv[1] = 0;
|> gflag = 0;
|> rscan(vv, tglob);
|> ! if (gflag == 0) {
|> ! vv[0] = (char *)calloc(1, strlen(v) + 1);
|> ! strcpy(vv[0], v);
|> return (copyblk(vv));
|> + }
|>
|> globerr = 0;
|> gpath = agpath; gpathp = gpath; *gpathp = 0;
Jonathan Kamens USnail:
MIT Project Athena 11 Ashford Terrace
jik@Athena.MIT.EDU Allston, MA 02134
Office: 617-253-8495 Home: 617-782-0710
