epsilon@wet.UUCP (Eric P. Scott) (07/23/89)
(reproduce: ftp localhost; dir ... bye-bye!) I compiled the latest bsd source: same symptom. -=EPS=- / SFSU
epsilon@wet.UUCP (Eric P. Scott) (07/27/89)
Well, no one else has taken up the challenge, so here I am,
following up my own posting.
nano-explanation: free() is called with a pointer not obtained
from malloc().
micro-explanation: The glob() function returns its argument if no
expansion is done, otherwise it returns the expansion in
malloc'ed memory. ftpd_popen() calls glob() with an automatic
and always frees the return value. NLST works because it's just
an ls--there's nothing to expand, hence nothing to free.
Fix: ensure than glob() always returns malloc'ed memory.
*** glob.c.old
--- glob.c
***************
*** 71,78 ****
vv[1] = 0;
gflag = 0;
rscan(vv, tglob);
! if (gflag == 0)
return (copyblk(vv));
globerr = 0;
gpath = agpath; gpathp = gpath; *gpathp = 0;
--- 71,80 ----
vv[1] = 0;
gflag = 0;
rscan(vv, tglob);
! if (gflag == 0) {
+ vv[0]=strspl(v, "");
return (copyblk(vv));
+ }
globerr = 0;
gpath = agpath; gpathp = gpath; *gpathp = 0;
Unrelated bugfix: someone doesn't believe in varargs, and defines
the reply() function in ftpd.c to take 7 arguments. Elsewhere
it's called with 8. (Thoroughly nasty to SunOS ftpd, BTW.)
The #ifdef notdefs aren't really part of the fix, just a personal
peeve.
*** ftpd.c.old
--- ftpd.c
***************
*** 639,656 ****
dologout(0);
}
! reply(n, s, p0, p1, p2, p3, p4)
int n;
char *s;
{
printf("%d ", n);
! printf(s, p0, p1, p2, p3, p4);
printf("\r\n");
(void) fflush(stdout);
if (debug) {
syslog(LOG_DEBUG, "<--- %d ", n);
! syslog(LOG_DEBUG, s, p0, p1, p2, p3, p4);
}
}
--- 639,660 ----
dologout(0);
}
! reply(n, s, p0, p1, p2, p3, p4, p5)
int n;
char *s;
{
printf("%d ", n);
! printf(s, p0, p1, p2, p3, p4, p5);
+ #ifdef notdef
printf("\r\n");
+ #else
+ fputs("\r\n", stdout);
+ #endif
(void) fflush(stdout);
if (debug) {
syslog(LOG_DEBUG, "<--- %d ", n);
! syslog(LOG_DEBUG, s, p0, p1, p2, p3, p4, p5);
}
}
***************
*** 660,666 ****
--- 664,674 ----
{
printf("%d-", n);
printf(s, p0, p1, p2, p3, p4);
+ #ifdef notdef
printf("\r\n");
+ #else
+ fputs("\r\n", stdout);
+ #endif
(void) fflush(stdout);
if (debug) {
syslog(LOG_DEBUG, "<--- %d- ", n);
>>> This message is NOT crossposted.
>>> Please do not ask me for ftpd sources or binaries.
>>> This information is provided for developer use until it's
incorporated in an "official" release.
-=EPS=- / SFSUepsilon@wet.UUCP (Eric P. Scott) (07/29/89)
Oops! There are more places in the code where SIGSEGVs are breeding. This is not NeXT's fault--the problems are in Berkeley's code (almost entirely in the post-Nov. 1988 "security improvements"). Some time in the (hopefully near) future a better-behaved version will be available in source form from UUNET. -=EPS=-