From owner-freebsd-standards@FreeBSD.ORG  Mon Mar 15 12:40:08 2010
Return-Path: <owner-freebsd-standards@FreeBSD.ORG>
Delivered-To: freebsd-standards@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id ACB61106566C
	for <freebsd-standards@hub.freebsd.org>;
	Mon, 15 Mar 2010 12:40:08 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 8993E8FC17
	for <freebsd-standards@hub.freebsd.org>;
	Mon, 15 Mar 2010 12:40:08 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o2FCe7UI009705
	for <freebsd-standards@freefall.freebsd.org>;
	Mon, 15 Mar 2010 12:40:07 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o2FCe7EG009704;
	Mon, 15 Mar 2010 12:40:07 GMT (envelope-from gnats)
Resent-Date: Mon, 15 Mar 2010 12:40:07 GMT
Resent-Message-Id: <201003151240.o2FCe7EG009704@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-standards@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	David BERARD <contact@davidberard.fr>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 644A01065673
	for <FreeBSD-gnats-submit@freebsd.org>;
	Mon, 15 Mar 2010 12:37:02 +0000 (UTC)
	(envelope-from david@lab.polymorf.fr)
Received: from lab.polymorf.fr (lab.polymorf.fr [188.40.66.189])
	by mx1.freebsd.org (Postfix) with ESMTP id B82AE8FC0A
	for <FreeBSD-gnats-submit@freebsd.org>;
	Mon, 15 Mar 2010 12:37:01 +0000 (UTC)
Received: from lab.polymorf.fr (localhost [127.0.0.1])
	by lab.polymorf.fr (8.14.3/8.14.3) with ESMTP id o2FC8KCk053819;
	Mon, 15 Mar 2010 12:08:21 GMT (envelope-from david@lab.polymorf.fr)
Received: (from david@localhost)
	by lab.polymorf.fr (8.14.3/8.14.3/Submit) id o2FC8Kxb053818;
	Mon, 15 Mar 2010 12:08:20 GMT (envelope-from david)
Message-Id: <201003151208.o2FC8Kxb053818@lab.polymorf.fr>
Date: Mon, 15 Mar 2010 12:08:20 GMT
From: David BERARD <contact@davidberard.fr>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Cc: laurent@sintes.org
Subject: standards/144761: FTPD bug remote crash
X-BeenThere: freebsd-standards@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: David BERARD <contact@davidberard.fr>
List-Id: Standards compliance <freebsd-standards.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-standards>, 
	<mailto:freebsd-standards-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-standards>
List-Post: <mailto:freebsd-standards@freebsd.org>
List-Help: <mailto:freebsd-standards-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-standards>, 
	<mailto:freebsd-standards-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Mar 2010 12:40:08 -0000


>Number:         144761
>Category:       standards
>Synopsis:       FTPD bug remote crash
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-standards
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Mar 15 12:40:07 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     David BERARD
>Release:        FreeBSD 8.0-RELEASE amd64
>Organization:
NFrance Conseil
>Environment:
System: FreeBSD lab.polymorf.fr 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:02:08 UTC 2009 root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64

>Description:
FTPD child process can die with signal 11, bug found by Kingcope
	kernel: pid 46033 (ftpd), uid 1001: exited on signal 11
References :
	http://seclists.org/fulldisclosure/2010/Mar/117
	http://seclists.org/fulldisclosure/2010/Mar/138
	http://seclists.org/fulldisclosure/2010/Mar/139
>How-To-Repeat:
	ftp localhost
	[....login....]
	ftp> mkdir WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW
	ftp> ls {W*/../W*/../W*/../W*/../W*/../W*/../W*/}
	[....Server close connection....]
>Fix:

See the attached patch, should fix issue

--- ftpd_popen.patch begins here ---
--- /usr/src/libexec/ftpd/popen.c	2009-10-25 01:10:29.000000000 +0000
+++ /usr/src/libexec/ftpd/popen.c	2010-03-13 08:03:24.000000000 +0000
@@ -108,7 +108,7 @@
 		memset(&gl, 0, sizeof(gl));
 		gl.gl_matchc = MAXGLOBARGS;
 		flags |= GLOB_LIMIT;
-		if (glob(argv[argc], flags, NULL, &gl))
+		if (glob(argv[argc], flags, NULL, &gl) || gl.gl_pathc == 0)
 			gargv[gargc++] = strdup(argv[argc]);
 		else
 			for (pop = gl.gl_pathv; *pop && gargc < (MAXGLOBARGS-1);
--- ftpd_popen.patch ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted: