From owner-freebsd-bugs@FreeBSD.ORG Mon Jul 17 16:00:36 2006 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2A58516A4E0 for ; Mon, 17 Jul 2006 16:00:36 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6A3B143D4C for ; Mon, 17 Jul 2006 16:00:35 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k6HG0ZW6099829 for ; Mon, 17 Jul 2006 16:00:35 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k6HG0ZBR099828; Mon, 17 Jul 2006 16:00:35 GMT (envelope-from gnats) Resent-Date: Mon, 17 Jul 2006 16:00:35 GMT Resent-Message-Id: <200607171600.k6HG0ZBR099828@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Andrew Stevenson Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9B1EB16A4DA; Mon, 17 Jul 2006 15:51:21 +0000 (UTC) (envelope-from andrew@ugh.net.au) Received: from starbug.ugh.net.au (starbug.ugh.net.au [210.10.122.37]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4A3CB43D46; Mon, 17 Jul 2006 15:51:20 +0000 (GMT) (envelope-from andrew@ugh.net.au) Received: by starbug.ugh.net.au (Postfix, from userid 1000) id CB4F4386C0F; Tue, 18 Jul 2006 01:51:18 +1000 (EST) Message-Id: <20060717155118.CB4F4386C0F@starbug.ugh.net.au> Date: Tue, 18 Jul 2006 01:51:18 +1000 (EST) From: Andrew Stevenson To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: mikeh@FreeBSD.org, obrien@FreeBSD.org Subject: bin/100442: lukemftpd core dumps on anonymous login X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Andrew Stevenson List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2006 16:00:36 -0000 >Number: 100442 >Category: bin >Synopsis: lukemftpd core dumps on anonymous login >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Jul 17 16:00:34 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Andrew Stevenson >Release: FreeBSD 6.1-RELEASE i386 >Organization: UgH! >Environment: System: FreeBSD starbug.ugh.net.au 6.1-RELEASE FreeBSD 6.1-RELEASE #0: Mon Jun 12 07:32:23 UTC 2006 root@jail.ugh.net.au:/usr/obj/usr/src/sys/KERNEL1 i386 >Description: lukemftpd core dumps on anonymous login after accepting the password. What seems to be happening is that the user function (ftpd.c:716) is called but we hit the goto on line 786 and so skip the call to parse_conf on line 821. This means that when we get to count_users (conf.c:883) (called from pass (ftpd.c:1149)) curclass.classname is still NULL and the strlcat on line 892 of conf.c causes a segfault. The NetBSD code differs in that it doesn't have the goto though I haven't tested to see if that avoids the problem. I'm not sure of the rationale for the differing code - the comments seem to say the NetBSD code came from FreeBSD originally. >How-To-Repeat: Added an ftp user and group. Shell set to nologin. Added lukemftpd to inetd.conf with the flags "ftpd -ll -r -d" Login via FTP as "ftp" with any password. >Fix: >Release-Note: >Audit-Trail: >Unformatted: