Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 662684 - net-ftp/ftp-0.17.23.0.2.1 patch 070_all_segv.patch causes segfault
Summary: net-ftp/ftp-0.17.23.0.2.1 patch 070_all_segv.patch causes segfault
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo's Team for Core System packages
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-08-02 22:18 UTC by Hank Leininger
Modified: 2018-08-05 18:35 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hank Leininger 2018-08-02 22:18:41 UTC
The ftp client will segv when connecting to a server that immediately issues a 421 response:

term1$ echo "421 Service not available." | ncat -n -v -l 127.0.0.1
...
Ncat: Listening on 127.0.0.1:31337


term2$ ftp -d -v 127.0.0.1 31337
Connected to 127.0.0.1.
421 Service not available.
Segmentation fault (core dumped)

gdb shows it dying in fclose; strace shows two calls to fclose in a row.

net-ftp/ftp applies patch sets from Debian and then from Gentoo.  I found that if I removed the second chunk of 070_all_segv.patch from Gentoo's netkit-ftp-0.17-patches-2.tar.bz2, the crash goes away:

$ ftp 127.0.0.1 31337
Connected to 127.0.0.1.
421 Service not available.
ftp>

That patch hunk is in ftp/ftp.c:

@@ -529,6 +531,10 @@
                        INTOFF;
                        lostpeer(0);
                        INTON;
+                       if (cout) {
+                               fclose(cout);
+                               cout = NULL;
+                       }
                }
                return (n - '0');
        }

...And it is modifying the behavior at the end of getreply(), specifically, how it handles 421 responses.  With that removed, there's only one fclose() call.  I suspect that this error path is (now?) properly handled and the patch hunk can be dropped.