standards/144761: FTPD bug remote crash

[David BERARD]

>Number: 144761
>Category: standards
>Synopsis: FTPD bug remote crash
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-standards
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Mar 15 12:40:07 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: David BERARD
>Release: FreeBSD 8.0-RELEASE amd64
>Organization:
NFrance Conseil
>Environment:
System: FreeBSD lab.polymorf.fr 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:02:08 UTC 2009 ro...@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64

>Description:
FTPD child process can die with signal 11, bug found by Kingcope
kernel: pid 46033 (ftpd), uid 1001: exited on signal 11
References :
http://seclists.org/fulldisclosure/2010/Mar/117
http://seclists.org/fulldisclosure/2010/Mar/138
http://seclists.org/fulldisclosure/2010/Mar/139
>How-To-Repeat:
ftp localhost
[....login....]
ftp> mkdir WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW
ftp> ls {W*/../W*/../W*/../W*/../W*/../W*/../W*/}
[....Server close connection....]
>Fix:

See the attached patch, should fix issue

--- ftpd_popen.patch begins here ---
--- /usr/src/libexec/ftpd/popen.c 2009-10-25 01:10:29.000000000 +0000
+++ /usr/src/libexec/ftpd/popen.c 2010-03-13 08:03:24.000000000 +0000
@@ -108,7 +108,7 @@
memset(&gl, 0, sizeof(gl));
gl.gl_matchc = MAXGLOBARGS;
flags |= GLOB_LIMIT;
- if (glob(argv[argc], flags, NULL, &gl))
+ if (glob(argv[argc], flags, NULL, &gl) || gl.gl_pathc == 0)
gargv[gargc++] = strdup(argv[argc]);
else
for (pop = gl.gl_pathv; *pop && gargc < (MAXGLOBARGS-1);
--- ftpd_popen.patch ends here ---

>Release-Note:
>Audit-Trail:
>Unformatted: