662684 – net-ftp/ftp-0.17.23.0.2.1 patch 070_all_segv.patch causes segfault

Bug 662684 - net-ftp/ftp-0.17.23.0.2.1 patch 070_all_segv.patch causes segfault

Summary: net-ftp/ftp-0.17.23.0.2.1 patch 070_all_segv.patch causes segfault

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo's Team for Core System packages

URL:
Whiteboard:
Keywords:	PullRequest

Depends on:
Blocks:

Reported:	2018-08-02 22:18 UTC by Hank Leininger
Modified:	2021-09-28 03:35 UTC (History)
CC List:	2 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/18862
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hank Leininger 2018-08-02 22:18:41 UTC

The ftp client will segv when connecting to a server that immediately issues a 421 response:

term1$ echo "421 Service not available." | ncat -n -v -l 127.0.0.1
...
Ncat: Listening on 127.0.0.1:31337


term2$ ftp -d -v 127.0.0.1 31337
Connected to 127.0.0.1.
421 Service not available.
Segmentation fault (core dumped)

gdb shows it dying in fclose; strace shows two calls to fclose in a row.

net-ftp/ftp applies patch sets from Debian and then from Gentoo.  I found that if I removed the second chunk of 070_all_segv.patch from Gentoo's netkit-ftp-0.17-patches-2.tar.bz2, the crash goes away:

$ ftp 127.0.0.1 31337
Connected to 127.0.0.1.
421 Service not available.
ftp>

That patch hunk is in ftp/ftp.c:

@@ -529,6 +531,10 @@
                        INTOFF;
                        lostpeer(0);
                        INTON;
+                       if (cout) {
+                               fclose(cout);
+                               cout = NULL;
+                       }
                }
                return (n - '0');
        }

...And it is modifying the behavior at the end of getreply(), specifically, how it handles 421 responses.  With that removed, there's only one fclose() call.  I suspect that this error path is (now?) properly handled and the patch hunk can be dropped.

Comment 1 Hank Leininger 2020-12-28 23:19:43 UTC

Ping, this segv still occurs, 2+ years later.

Comment 2 Larry the Git Cow gentoo-dev

2021-09-28 03:35:09 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=74fca1f794ce6bf84cb6354cc31d5f307508e155

commit 74fca1f794ce6bf84cb6354cc31d5f307508e155
Author:     Hank Leininger <hlein@korelogic.com>
AuthorDate: 2020-12-29 01:12:10 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-09-28 03:34:53 +0000

    net-ftp/ftp: version bump, EAPI bump, fix segv
    
    Sync to a more recent Debian version
    (netkit-ftp-ssl_0.17.34+0.2-5.1.dsc), and fix longstanding segv
    when the server goes away. Updated Gentoo patches for the current
    Debian version. Tested with gcc-10.
    
    Signed-off-by: Hank Leininger <hlein@korelogic.com>
    Closes: https://bugs.gentoo.org/662684
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Closes: https://github.com/gentoo/gentoo/pull/18862
    Signed-off-by: Sam James <sam@gentoo.org>

 net-ftp/ftp/Manifest                   |  2 ++
 net-ftp/ftp/ftp-0.17.34.0.2.5.1.ebuild | 66 ++++++++++++++++++++++++++++++++++
 2 files changed, 68 insertions(+)