Date: Sun, 19 Mar 2000 15:06:29 +0900 (JST) From: Kattyo <kattyo@abk.nu> To: FreeBSD-gnats-submit@freebsd.org Subject: bin/17482: ftpd not close listening port when failed data xfer in passive mode Message-ID: <200003190606.PAA09459@uhura.nit.ac.jp>
next in thread | raw e-mail | index | archive | help
>Number: 17482
>Category: bin
>Synopsis: ftpd(8) forget to close TCP port in passive mode
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Mar 18 22:10:01 PST 2000
>Closed-Date:
>Last-Modified:
>Originator: TANAKA Hiroyuki
>Release: FreeBSD 3.2-RELEASE i386
>Organization:
Nippon Institute of Technology
>Environment:
FreeBSD 3.2R and /usr/libexec/ftpd
>Description:
When ftpd fail data transfer with reply code 55x in passive mode,
ftpd forget to close socket which listening for data transfer.
This problem will affect anonymous ftp server as security hole.
(Can do DoS attack.)
>How-To-Repeat:
% ftp -p localhost
Connected localhost.
-- snip -- (here login) --
ftp> get no-such-filename
227 Entering Passive Mode (127,0,0,1,123,45)
550 no-such-filename: No such a file or directory.
ftp> !netstat -f inet
Proto Send-Q Recv-Q Local Address Foreign Address State
tcp 0 0 localhost.31533 *.* LISTEN
tcp 0 0 localhost.ftp localhost.31531 ESTABLISHED
ftp> get no-such-filename
227 Entering Passive Mode (127,0,0,1,123,46)
550 no-such-filename: No such a file or directory.
ftp> !netstat -f inet
Proto Send-Q Recv-Q Local Address Foreign Address State
tcp 0 0 localhost.31533 *.* LISTEN
tcp 0 0 localhost.31534 *.* LISTEN
tcp 0 0 localhost.ftp localhost.31531 ESTABLISHED
If more and more retry it, to be out of file descripter and
many commands can't execute because cant't load dynamic link libraries.
total problem points:
1. PASV
NLST (at empty directory)
2. PASV
RETR no-such-filename
3. PASV
STOR no-writable-filename
or APPE no-writable-filename
or STOU in-no-writable-directory
>Fix:
This patch is not perfect.
*** old/ftpd.c Sun Mar 19 02:26:11 2000
--- ftpd.c Sun Mar 19 14:23:45 2000
***************
*** 1156,1161 ****
--- 1156,1165 ----
if (cmd == 0) {
LOGCMD("get", name);
}
+ if (pdata >= 1) {
+ (void) close(pdata);
+ pdata = -1;
+ }
}
return;
}
***************
*** 1194,1201 ****
logxfer(name, st.st_size, start);
(void) fclose(dout);
data = -1;
- pdata = -1;
done:
if (cmd == 0)
LOGBYTES("get", name, byte_count);
(*closefunc)(fin);
--- 1198,1208 ----
logxfer(name, st.st_size, start);
(void) fclose(dout);
data = -1;
done:
+ if (pdata >= 0) {
+ (void) close(pdata);
+ }
+ pdata = -1;
if (cmd == 0)
LOGBYTES("get", name, byte_count);
(*closefunc)(fin);
***************
*** 2219,2224 ****
--- 2226,2235 ----
transflag = 0;
if (dout != NULL)
(void) fclose(dout);
+ else {
+ if (pdata >= 0)
+ (void) close(pdata);
+ }
data = -1;
pdata = -1;
out:
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200003190606.PAA09459>