From owner-freebsd-stable Thu Jan 3 3:17:11 2002 Delivered-To: freebsd-stable@freebsd.org Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su [213.184.65.80]) by hub.freebsd.org (Postfix) with ESMTP id 01CF837B417 for ; Thu, 3 Jan 2002 03:17:04 -0800 (PST) Received: (from eugen@localhost) by www.svzserv.kemerovo.su (8.11.6/8.11.6) id g03BGj100467 for stable@freebsd.org; Thu, 3 Jan 2002 18:16:45 +0700 (KRAT) (envelope-from eugen) Date: Thu, 3 Jan 2002 18:16:45 +0700 From: Eugene Grosbein To: stable@freebsd.org Subject: How to make stock ftpd crash Message-ID: <20020103181645.A99459@svzserv.kemerovo.su> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi! I've found 100% repeatable way to segfault stock ftpd (FreeBSD 4.4-STABLE). I run it from /etc/inetd.conf: ftp stream tcp nowait/50/120 root /usr/libexec/ftpd ftpd -llSd Here is a log of connection: Jan 3 18:00:38 www ftpd[99297]: connection from kost (213.184.65.82) Jan 3 18:00:38 www ftpd[99297]: <--- 220 Jan 3 18:00:38 www ftpd[99297]: www.svzserv.kemerovo.su FTP server (Version 6.00LS) ready. Jan 3 18:00:38 www ftpd[99297]: command: USER ftp Jan 3 18:00:38 www ftpd[99297]: <--- 331 Jan 3 18:00:38 www ftpd[99297]: Guest login ok, send your email address as password. Jan 3 18:00:38 www ftpd[99297]: command: PASS eugen@iname.com Jan 3 18:00:38 www ftpd[99297]: <--- 230 Jan 3 18:00:38 www ftpd[99297]: Guest login ok, access restrictions apply. Jan 3 18:00:38 www ftpd[99297]: ANONYMOUS FTP LOGIN FROM kost, eugen@iname.com Jan 3 18:00:38 www ftpd[99297]: command: PWD Jan 3 18:00:38 www ftpd[99297]: <--- 257 Jan 3 18:00:38 www ftpd[99297]: "/" is current directory. Jan 3 18:00:38 www ftpd[99297]: command: SYST Jan 3 18:00:38 www ftpd[99297]: <--- 215 Jan 3 18:00:38 www ftpd[99297]: UNIX Type: L8 Version: BSD-199506 Jan 3 18:00:38 www ftpd[99297]: command: CWD /pub/FreeBSD/ports/distfiles Jan 3 18:00:38 www ftpd[99297]: <--- 250 Jan 3 18:00:38 www ftpd[99297]: CWD command successful. Jan 3 18:00:38 www ftpd[99297]: command: PWD Jan 3 18:00:38 www ftpd[99297]: <--- 257 Jan 3 18:00:38 www ftpd[99297]: "/pub/FreeBSD/ports/distfiles" is current directory. Jan 3 18:00:38 www ftpd[99297]: command: PASV Jan 3 18:00:38 www ftpd[99297]: <--- 227 Jan 3 18:00:38 www ftpd[99297]: Entering Passive Mode (213,184,65,80,200,151) Jan 3 18:00:38 www ftpd[99297]: command: LIST Jan 3 18:00:38 www ftpd[99297]: <--- 150 Jan 3 18:00:38 www ftpd[99297]: Opening ASCII mode data connection for '/bin/ls'. Jan 3 18:00:39 www ftpd[99297]: <--- 226 Jan 3 18:00:39 www ftpd[99297]: Transfer complete. Jan 3 18:00:40 www ftpd[99297]: command: TYPE I Jan 3 18:00:40 www ftpd[99297]: <--- 200 Jan 3 18:00:40 www ftpd[99297]: Type set to I. Jan 3 18:00:40 www ftpd[99297]: command: PASV Jan 3 18:00:40 www ftpd[99297]: <--- 227 Jan 3 18:00:40 www ftpd[99297]: Entering Passive Mode (213,184,65,80,200,152) Jan 3 18:00:40 www ftpd[99297]: command: RETR pkg_tarup?rev=1.2&content-type=text%2fplain Jan 3 18:00:40 www ftpd[99297]: <--- 150 Jan 3 18:00:40 www ftpd[99297]: Opening BINARY mode data connection for 'pkg_tarup?rev=1.2&content-type=text%2fplain' (2512 bytes). Jan 3 18:00:40 www ftpd[99297]: <--- 226 Jan 3 18:00:40 www ftpd[99297]: Transfer complete. Jan 3 18:00:40 www ftpd[99297]: get pub/FreeBSD/ports/distfiles/pkg_tarup?rev=1.2&content-type=text%2fplain = 2512 bytes Jan 3 18:00:40 www ftpd[99297]: command: ABOR Jan 3 18:00:40 www ftpd[99297]: <--- 426 Jan 3 18:00:40 www ftpd[99297]: Transfer aborted. Data connection closed. Jan 3 18:00:40 www ftpd[99297]: <--- 226 Jan 3 18:00:40 www ftpd[99297]: Abort successful Here ftpd died with signal 11. A client was FAR 1.63 (by Eugene Roshal) running on Windows95OSR2 with FAT32 filesystem. It requested a file named pkg_tarup?rev=1.2&content-type=text%2fplain but could not create such file on its filesystem so it sent ABOR. File is small (2512 bytes) and link is fast, 100Mb ethernet. My ftpd is compiled with debug info and I've enabled creating of core so I can supply output of gdb: Script started on Thu Jan 3 18:13:34 2002 GNU gdb 4.18 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-unknown-freebsd"... Core was generated by `ftpd'. Program terminated with signal 11, Segmentation fault. Reading symbols from /usr/lib/libskey.so.2...done. Reading symbols from /usr/lib/libmd.so.2...done. Reading symbols from /usr/lib/libcrypt.so.2...done. Reading symbols from /usr/lib/libutil.so.3...done. Reading symbols from /usr/lib/libpam.so.1...done. Reading symbols from /usr/lib/libc.so.4...done. Reading symbols from /usr/libexec/ld-elf.so.1...done. #0 0x804c9b0 in retrieve (cmd=0x0, name=0x60004
) at ftpd.c:1469 1469 LOGBYTES("get", name, byte_count); (gdb) l 1469 1464 (void) fclose(dout); 1465 data = -1; 1466 pdata = -1; 1467 done: 1468 if (cmd == 0) 1469 LOGBYTES("get", name, byte_count); 1470 (*closefunc)(fin); 1471 } 1472 1473 void (gdb) p name $1 = 0x60004
(gdb) p byte_count $2 = 2512 (gdb) quit Script done on Thu Jan 3 18:13:57 2002 I can reproduce this any time. Not sure if there might be any security issues. After all, ftpd does chroot for anonymous. Eugene Grosbein To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message