FTPD child process can die with signal 11, bug found by Kingcope kernel: pid 46033 (ftpd), uid 1001: exited on signal 11 References : http://seclists.org/fulldisclosure/2010/Mar/117 http://seclists.org/fulldisclosure/2010/Mar/138 http://seclists.org/fulldisclosure/2010/Mar/139 Fix: See the attached patch, should fix issue How-To-Repeat: ftp localhost [....login....] ftp> mkdir WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW ftp> ls {W*/../W*/../W*/../W*/../W*/../W*/../W*/} [....Server close connection....]
Responsible Changed From-To: freebsd-standards->freebsd-bugs Not a PR for standards@
This has been fixed in the NetBSD repository - see http://www.netbsd.org/cgi- bin/query-pr-single.pl?number=43023 -- Bruce Cran
State Changed From-To: open->patched Patch from OpenBSD applied, thanks for bringing this to our attention!
Responsible Changed From-To: freebsd-bugs->delphij Take since I have patched this issue.
Author: delphij Date: Thu Mar 25 22:41:01 2010 New Revision: 205656 URL: http://svn.freebsd.org/changeset/base/205656 Log: Check that gl_pathc is bigger than zero before derefencing gl_pathv. When gl_pathc == 0, the content of gl_pathv is undefined. PR: bin/144761 Submitted by: David BERARD <contact davidberard fr> Obtained from: OpenBSD MFC after: 1 week Modified: head/libexec/ftpd/popen.c Modified: head/libexec/ftpd/popen.c ============================================================================== --- head/libexec/ftpd/popen.c Thu Mar 25 20:07:30 2010 (r205655) +++ head/libexec/ftpd/popen.c Thu Mar 25 22:41:01 2010 (r205656) @@ -110,10 +110,11 @@ ftpd_popen(char *program, char *type) flags |= GLOB_LIMIT; if (glob(argv[argc], flags, NULL, &gl)) gargv[gargc++] = strdup(argv[argc]); - else + else if (gl.gl_pathc > 0) { for (pop = gl.gl_pathv; *pop && gargc < (MAXGLOBARGS-1); pop++) gargv[gargc++] = strdup(*pop); + } globfree(&gl); } gargv[gargc] = NULL; _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Author: delphij Date: Thu Apr 1 00:38:38 2010 New Revision: 206025 URL: http://svn.freebsd.org/changeset/base/206025 Log: MFC r205656: Check that gl_pathc is bigger than zero before derefencing gl_pathv. When gl_pathc == 0, the content of gl_pathv is undefined. PR: bin/144761 Submitted by: David BERARD <contact davidberard fr> Obtained from: OpenBSD Modified: stable/8/libexec/ftpd/popen.c Directory Properties: stable/8/libexec/ftpd/ (props changed) Changes in other areas also in this revision: Modified: stable/6/libexec/ftpd/popen.c stable/7/libexec/ftpd/popen.c Directory Properties: stable/6/libexec/ftpd/ (props changed) stable/7/libexec/ftpd/ (props changed) Modified: stable/8/libexec/ftpd/popen.c ============================================================================== --- stable/8/libexec/ftpd/popen.c Thu Apr 1 00:36:40 2010 (r206024) +++ stable/8/libexec/ftpd/popen.c Thu Apr 1 00:38:38 2010 (r206025) @@ -110,10 +110,11 @@ ftpd_popen(char *program, char *type) flags |= GLOB_LIMIT; if (glob(argv[argc], flags, NULL, &gl)) gargv[gargc++] = strdup(argv[argc]); - else + else if (gl.gl_pathc > 0) { for (pop = gl.gl_pathv; *pop && gargc < (MAXGLOBARGS-1); pop++) gargv[gargc++] = strdup(*pop); + } globfree(&gl); } gargv[gargc] = NULL; _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
State Changed From-To: patched->closed Fixed in {6,7.8}-STABLE.
Author: delphij Date: Thu Apr 1 00:38:38 2010 New Revision: 206025 URL: http://svn.freebsd.org/changeset/base/206025 Log: MFC r205656: Check that gl_pathc is bigger than zero before derefencing gl_pathv. When gl_pathc == 0, the content of gl_pathv is undefined. PR: bin/144761 Submitted by: David BERARD <contact davidberard fr> Obtained from: OpenBSD Modified: stable/7/libexec/ftpd/popen.c Directory Properties: stable/7/libexec/ftpd/ (props changed) Changes in other areas also in this revision: Modified: stable/6/libexec/ftpd/popen.c stable/8/libexec/ftpd/popen.c Directory Properties: stable/6/libexec/ftpd/ (props changed) stable/8/libexec/ftpd/ (props changed) Modified: stable/7/libexec/ftpd/popen.c ============================================================================== --- stable/7/libexec/ftpd/popen.c Thu Apr 1 00:36:40 2010 (r206024) +++ stable/7/libexec/ftpd/popen.c Thu Apr 1 00:38:38 2010 (r206025) @@ -110,10 +110,11 @@ ftpd_popen(char *program, char *type) flags |= GLOB_LIMIT; if (glob(argv[argc], flags, NULL, &gl)) gargv[gargc++] = strdup(argv[argc]); - else + else if (gl.gl_pathc > 0) { for (pop = gl.gl_pathv; *pop && gargc < (MAXGLOBARGS-1); pop++) gargv[gargc++] = strdup(*pop); + } globfree(&gl); } gargv[gargc] = NULL; _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"