Bug 205734

Summary: *** glibc detected *** in ftp after specific command sequence
Product: [Fedora] Fedora Reporter: James <theholyettlz>
Component: krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED CURRENTRELEASE QA Contact: Brian Brock <bbrock>
Severity: high Docs Contact:
Priority: medium    
Version: 5CC: mmaslano
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ftp-0.17-40.fc7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-06-16 07:45:48 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 206611    

Description James 2006-09-08 05:29:08 EDT
Description of problem:
Issuing the commands "mget -?" followed by "mget *" results in a "*** glibc
detected *** ftp: double free or corruption" error and ftp aborts.

Version-Release number of selected component (if applicable):
ftp-0.17-33.fc5

How reproducible:
Always.

Steps to Reproduce:
1. Log in somewhere.
2. Do "mget -?"
3. Do "mget *"
  
Actual results:
ftp dies on SIGABRT

Expected results:
ftp doesn't die, but carries out the second transaction.

Additional info:
Following is a transcript of a typical session, with the remote host disguised.

[james@harmony tmp]$ ftp <remote-host>
Connected to <remote-host>.
220 <remote-host> FTP server (SunOS 5.8) ready.
500 'AUTH GSSAPI': command not understood.
500 'AUTH KERBEROS_V4': command not understood.
KERBEROS_V4 rejected as an authentication type
Name (<remote-host>:james): jhe100
331 Password required for jhe100.
Password:
230 User jhe100 logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd mydocuments
250 CWD command successful.
ftp> mget -?
Filename provided by server doesn't match pattern `-?': /bin/ls: illegal option -- ?
Refusing to handle insecure file list
ftp> mget *
*** glibc detected *** ftp: double free or corruption (!prev): 0x0883ebc0 ***
======= Backtrace: =========
/lib/libc.so.6[0x320f18]
/lib/libc.so.6(__libc_free+0x78)[0x3243ef]
/lib/libc.so.6(fclose+0x140)[0x3114c0]
ftp[0xc2ecb3]
ftp[0xc2ef3a]
ftp(main+0x48a)[0xc37d9a]
/lib/libc.so.6(__libc_start_main+0xdc)[0x2d2724]
ftp[0xc29c21]
======= Memory map: ========
00111000-00184000 r-xp 00000000 fd:00 5663940    /usr/lib/libkrb5.so.3.2
00184000-00186000 rwxp 00073000 fd:00 5663940    /usr/lib/libkrb5.so.3.2
00186000-00189000 r-xp 00000000 fd:00 5661470    /usr/lib/libkrb5support.so.0.0
00189000-0018a000 rwxp 00002000 fd:00 5661470    /usr/lib/libkrb5support.so.0.0
0018a000-0018e000 r-xp 00000000 fd:00 3957222    /lib/libnss_dns-2.4.so
0018e000-0018f000 r-xp 00003000 fd:00 3957222    /lib/libnss_dns-2.4.so
0018f000-00190000 rwxp 00004000 fd:00 3957222    /lib/libnss_dns-2.4.so
0023a000-0023c000 r-xp 00000000 fd:00 3958726    /lib/libcom_err.so.2.1
0023c000-0023d000 rwxp 00001000 fd:00 3958726    /lib/libcom_err.so.2.1
0028e000-00297000 r-xp 00000000 fd:00 3957224    /lib/libnss_files-2.4.so
00297000-00298000 r-xp 00008000 fd:00 3957224    /lib/libnss_files-2.4.so
00298000-00299000 rwxp 00009000 fd:00 3957224    /lib/libnss_files-2.4.so
002b9000-002bc000 r-xp 00000000 fd:00 5671943    /usr/lib/libdes425.so.3.0
002bc000-002bd000 rwxp 00002000 fd:00 5671943    /usr/lib/libdes425.so.3.0
002bd000-003ea000 r-xp 00000000 fd:00 3958718    /lib/libc-2.4.so
003ea000-003ec000 r-xp 0012d000 fd:00 3958718    /lib/libc-2.4.so
003ec000-003ed000 rwxp 0012f000 fd:00 3958718    /lib/libc-2.4.so
003ed000-003f0000 rwxp 003ed000 00:00 0
0044e000-00472000 r-xp 00000000 fd:00 5662250    /usr/lib/libk5crypto.so.3.0
00472000-00473000 rwxp 00024000 fd:00 5662250    /usr/lib/libk5crypto.so.3.0
00611000-0061c000 r-xp 00000000 fd:00 3958722    /lib/libgcc_s-4.1.1-20060525.so.1
0061c000-0061d000 rwxp 0000a000 fd:00 3958722    /lib/libgcc_s-4.1.1-20060525.so.1
008ce000-008d3000 r-xp 00000000 fd:00 3957337    /lib/libcrypt-2.4.so
008d3000-008d4000 r-xp 00004000 fd:00 3957337    /lib/libcrypt-2.4.so
008d4000-008d5000 rwxp 00005000 fd:00 3957337    /lib/libcrypt-2.4.so
008d5000-008fc000 rwxp 008d5000 00:00 0
00a2a000-00a39000 r-xp 00000000 fd:00 3958725    /lib/libresolv-2.4.so
00a39000-00a3a000 r-xp 0000e000 fd:00 3958725    /lib/libresolv-2.4.so
00a3a000-00a3b000 rwxp 0000f000 fd:00 3958725    /lib/libresolv-2.4.so
00a3b000-00a3d000 rwxp 00a3b000 00:00 0
00c26000-00c3d000 r-xp 00000000 fd:00 6053482    /usr/kerberos/bin/ftp
00c3d000-00c3f000 rwxp 00017000 fd:00 6053482    /usr/kerberos/bin/ftp
00c3f000-00c52000 rwxp 00c3f000 00:00 0
00d24000-00d3c000 r-xp 00000000 fd:00 5666731    /usr/lib/libgssapi_krb5.so.2.2
00d3c000-00d3d000 rwxp 00017000 fd:00 5666731    /usr/lib/libgssapi_krb5.so.2.2
00e21000-00e22000 r-xp 00e21000 00:00 0          [vdso]
00e22000-00e3b000 r-xp 00000000 fd:00 3958716    /lib/ld-2.4.so
00e3b000-00e3c000 r-xp 00018000 fd:00 3958716    /lib/ld-2.4.so
00e3c000-00e3d000 rwxp 00019000 fd:00 3958716    /lib/ld-2.4.so
00f9f000-00fb7000 r-xp 00000000 fd:00 5667295    /usr/lib/libkrb4.so.2.0
00fb7000-00fb8000 rwxp 00018000 fd:00 5667295    /usr/lib/libkrb4.so.2.0
00fb8000-00fbd000 rwxp 00fb8000 00:00 0
0883d000-0885e000 rw-p 0883d000 00:00 0          [heap]
b7e00000-b7e21000 rw-p b7e00000 00:00 0
b7e21000-b7f00000 ---p b7e21000 00:00 0
b7faa000-b7fad000 rw-p b7faa000 00:00 0
b7fbf000-b7fc4000 rw-p b7fbf000 00:00 0
bfb2d000-bfb42000 rw-p bfb2d000 00:00 0          [stack]
Aborted
Comment 1 Marcela Mašláňová 2006-09-08 07:04:29 EDT
Hello,
I'm trying to reproduce it, but I can't. Could it be problem of server? You're 
using FTP server (SunOS 5.8). I'm using vsftpd. Maybe if you could test it with 
another server and tell me result. Thanks.

[me@localhost ~]$ rpm -q ftp
ftp-0.17-33.fc5
[ma@localhost ~]$ ftp mycomp.my
Connected to mycomp.my.
220 (vsFTPd 2.0.4)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (mycomp.my:me):
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd pip
250 Directory successfully changed.
ftp> pwd
257 "/home/me/pip"
ftp> mget -?
mget c.c? y
227 Entering Passive Mode (IP)
150 Opening BINARY mode data connection for c.c (7 bytes).
226 File send OK.
7 bytes received in 0.00024 seconds (29 Kbytes/s)
ftp> mget *
mget c.c? y
227 Entering Passive Mode (IP)
150 Opening BINARY mode data connection for c.c (7 bytes).
226 File send OK.
7 bytes received in 0.00019 seconds (36 Kbytes/s)
ftp> quit
221 Goodbye.
Comment 2 James 2006-09-08 08:21:58 EDT
I've just tried some anonymous ftp from ftp.mirrorservice.org and ftp.redhat.com
and indeed, there is no problem experienced there. I guess the SunOS 5.8
(in.ftpd "UNIX Type: L8 Version: SUNOS"?) server's expansion of "-?" (the
"insecure file list") is DoSing ftp somehow. 
Comment 3 Nalin Dahyabhai 2006-09-13 11:26:04 EDT
This looks like the ftp client from the krb5-workstation package (the attempts
to use AUTH GSSAPI and libgssapi_krb5 showing up in the list of loaded libraries
tipped me off).

It looks like this is being triggered by the FTP server choking on the "-?".  My
test servers here use vsftpd, which doesn't kick out an error, so I'm having a
little trouble reproducing this in Raw Hide.
Comment 4 James 2006-09-13 15:35:04 EDT
I could use telnet to connect to the FTP port on the SunOS server. Then if you
guys can give me the sequence of commands sent by ftp in order to do "mget -?"
and hence capture the raw reply, I'll post the results. 
Comment 5 James 2006-09-14 12:14:57 EDT
Hmm... this also shows up in ftp-0.17-22 in RHEL4.

ftp> debug 5
Debugging on (debug=5).
ftp> mget -?
ftp: setsockopt (ignored): Permission denied
---> PASV
---> NLST -?
Filename provided by server doesn't match pattern `-?': /bin/ls: illegal option -- ?
Refusing to handle insecure file list
ftp> mget *
*** glibc detected *** double free or corruption (!prev): 0x090e90d0 ***
Aborted

When I telnet to the server's port 21 and run the NLST -? command, the session
just hangs there... Hope this is of some help.
Comment 6 James 2006-11-28 05:41:44 EST
Also present in ftp-0.17-33.fc6.
Comment 7 James 2007-06-16 07:45:48 EDT
Fixed in ftp-0.17-40.fc7.