[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug-inetutils] ftp: nmap mode is severely buggy
From: |
Mats Erik Andersson |
Subject: |
[bug-inetutils] ftp: nmap mode is severely buggy |
Date: |
Sat, 15 Dec 2012 16:31:14 +0100 |
User-agent: |
Mutt/1.5.18 (2008-05-17) |
Dear all,
in "ftp/cmds.c" the functions domap() and cp_subst() are
causing infinite loops and segmentation faults, even
segmentation faults during later use of history scrolling.
The legacy clients "ftp" in FreeBSD and OpenSolaris
are correctly handling the cases below, so it is the
modification of domap() calls and implementation
for GNU Inetutils that compromise the code.
An infinite loop arises from this
ftp> cd /etc
ftp> lcd /tmp
ftp> nmap $1.$2 $1.[$2,txt]
ftp> get motd
It is text content in a chooser bracket that causes looping.
For segmentation faults I have this surprising case
ftp> cd /etc
ftp> lcd /tmp
ftp> nmap $1.$2 $1.$2
ftp> get resolv.conf
*** segmentation fault with Glibc ***
Observe that I specified an identity mapping. This and the
next case abort with segmentation faults on GNU/Linux,
but pass on OpenSolaris without abortion.
It is certainly related to the following misnaming
ftp> nmap $1.$2 $2.$1.new
ftp> cd /etc
ftp> lcd /tmp
ftp> get resolv.conf
local: conf.v.conf remote: resolv.conf
ftp> get motd
local: .motd.new remote: motd
which shows that the parser backsubstitutes the name as
"conf.v.conf" instead of the expected "conf.resolv.new".
This misnaming appears on OpenSolaris, but as said, results
in a segmentation fault on GNU/Linux. Thus it is writing
into existing strings instead of allocation new room.
I just pushed some small code audit changes, but the errors
cites above need more scrutiny before I commit anything.
Can someone find more test cases for other error conditions?
Regards,
Mats E A
- [bug-inetutils] ftp: nmap mode is severely buggy,
Mats Erik Andersson <=