[bug-inetutils] ftp: nmap mode is severely buggy

[Mats Erik Andersson]

Dear all,

in "ftp/cmds.c" the functions domap() and cp_subst() are
causing infinite loops and segmentation faults, even
segmentation faults during later use of history scrolling.

The legacy clients "ftp" in FreeBSD and OpenSolaris
are correctly handling the cases below, so it is the
modification of domap() calls and implementation
for GNU Inetutils that compromise the code.

An infinite loop arises from this

  ftp> cd /etc
  ftp> lcd /tmp
  ftp> nmap $1.$2 $1.[$2,txt]
  ftp> get motd

It is text content in a chooser bracket that causes looping.

For segmentation faults I have this surprising case

  ftp> cd /etc
  ftp> lcd /tmp
  ftp> nmap $1.$2 $1.$2
  ftp> get resolv.conf
  *** segmentation fault with Glibc ***

Observe that I specified an identity mapping. This and the
next case abort with segmentation faults on GNU/Linux,
but pass on OpenSolaris without abortion.

It is certainly related to the following misnaming

  ftp> nmap $1.$2 $2.$1.new
  ftp> cd /etc
  ftp> lcd /tmp
  ftp> get resolv.conf
  local: conf.v.conf remote: resolv.conf
  ftp> get motd
  local: .motd.new remote: motd

which shows that the parser backsubstitutes the name as
"conf.v.conf" instead of the expected "conf.resolv.new".
This misnaming appears on OpenSolaris, but as said, results
in a segmentation fault on GNU/Linux. Thus it is writing
into existing strings instead of allocation new room.

I just pushed some small code audit changes, but the errors
cites above need more scrutiny before I commit anything.
Can someone find more test cases for other error conditions?

Regards,
  Mats E A