Bug 414051

Summary: *** buffer overflow detected ***: lftp terminatedving data
Product: [Fedora] Fedora Reporter: sangu <sangu.fedora>
Component: lftpAssignee: Martin Nagy <mnagy>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: medium    
Version: rawhideCC: bugs, hripps, mnagy, mtasaka, nicolas.mailhot, ychavan
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-12-13 08:28:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Fix the buffer size and use snprintf instead sprintf none

Description sangu 2007-12-06 15:17:23 UTC 
Description of problem:
$ lftp http://koji.fedoraproject.org/packages/cairo/1.5.4/1.fc9/i386/
cd ok, cwd=/packages/cairo/1.5.4/1.fc9/i386                
lftp koji.fedoraproject.org:/packages/cairo/1.5.4/1.fc9/i386> mget *.rpm
*** buffer overflow detected ***: lftp terminatedving data]
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x48)[0x328b58]
/lib/libc.so.6[0x327200]
/lib/libc.so.6[0x326918]
/lib/libc.so.6(_IO_default_xsputn+0xcd)[0x2a4e8d]
/lib/libc.so.6(_IO_vfprintf+0x8ef)[0x27bfcf]
/lib/libc.so.6(__vsprintf_chk+0xad)[0x3269cd]
/lib/libc.so.6(__sprintf_chk+0x30)[0x326900]
/usr/lib/liblftp-tasks.so.0(_ZN8FileCopy17GetPercentDoneStrEv+0x59)[0x193be9]
/usr/lib/liblftp-jobs.so.0(_ZN7CopyJob6StatusEPK10StatusLineb+0xab)[0x15a14b]
/usr/lib/liblftp-jobs.so.0(_ZN7CopyJob13ShowRunStatusEP10StatusLine+0x37)[0x15a1e7]
/usr/lib/liblftp-jobs.so.0(_ZN3Job13ShowRunStatusEP10StatusLine+0x7d)[0x13e50d]
/usr/lib/liblftp-jobs.so.0(_ZN7mgetJob13ShowRunStatusEP10StatusLine+0x54)[0x14b934]
/usr/lib/liblftp-jobs.so.0(_ZN3Job13ShowRunStatusEP10StatusLine+0x7d)[0x13e50d]
/usr/lib/liblftp-jobs.so.0(_ZN7CmdExec13ShowRunStatusEP10StatusLine+0xb1)[0x141861]
/usr/lib/liblftp-jobs.so.0(_ZN7CmdExec2DoEv+0x702)[0x143242]
/usr/lib/liblftp-tasks.so.0(_ZN6SMTask8ScheduleEv+0xbc)[0x183f8c]
/usr/lib/liblftp-jobs.so.0(_ZN3Job8WaitDoneEv+0x2d)[0x13e46d]
lftp[0x804c3c7]
/lib/libc.so.6(__libc_start_main+0xe0)[0x255390]
lftp[0x804b7d1]
======= Memory map: ========
00110000-0012b000 r-xp 00000000 08:09 7155302    /lib/ld-2.7.so
0012b000-0012c000 r-xp 0001a000 08:09 7155302    /lib/ld-2.7.so
0012c000-0012d000 rwxp 0001b000 08:09 7155302    /lib/ld-2.7.so
0012d000-0012e000 r-xp 0012d000 00:00 0          [vdso]
0012e000-00169000 r-xp 00000000 08:09 7645400    /usr/lib/liblftp-jobs.so.0.0.0
00169000-0016c000 rwxp 0003a000 08:09 7645400    /usr/lib/liblftp-jobs.so.0.0.0
0016c000-001c4000 r-xp 00000000 08:09 7645999    /usr/lib/liblftp-tasks.so.0.0.0
001c4000-001c8000 rwxp 00057000 08:09 7645999    /usr/lib/liblftp-tasks.so.0.0.0
001c8000-001cc000 rwxp 001c8000 00:00 0 
001cc000-001fc000 r-xp 00000000 08:09 7648471    /usr/lib/libreadline.so.5.2
001fc000-00200000 rwxp 00030000 08:09 7648471    /usr/lib/libreadline.so.5.2
00200000-00201000 rwxp 00200000 00:00 0 
00201000-00203000 r-xp 00000000 08:09 7158649    /lib/libutil-2.7.so
00203000-00204000 r-xp 00001000 08:09 7158649    /lib/libutil-2.7.so
00204000-00205000 rwxp 00002000 08:09 7158649    /lib/libutil-2.7.so
00205000-00225000 r-xp 00000000 08:09 7155216    /lib/libncurses.so.5.6
00225000-00226000 rwxp 00020000 08:09 7155216    /lib/libncurses.so.5.6
00226000-00236000 r-xp 00000000 08:09 7160118    /lib/libresolv-2.7.so
00236000-00237000 r-xp 00010000 08:09 7160118    /lib/libresolv-2.7.so
00237000-00238000 rwxp 00011000 08:09 7160118    /lib/libresolv-2.7.so
00238000-0023a000 rwxp 00238000 00:00 0 
0023a000-0023d000 r-xp 00000000 08:09 7158615    /lib/libdl-2.7.so
0023d000-0023e000 r-xp 00002000 08:09 7158615    /lib/libdl-2.7.so
0023e000-0023f000 rwxp 00003000 08:09 7158615    /lib/libdl-2.7.so
0023f000-00392000 r-xp 00000000 08:09 7155361    /lib/libc-2.7.so
00392000-00394000 r-xp 00153000 08:09 7155361    /lib/libc-2.7.so
00394000-00395000 rwxp 00155000 08:09 7155361    /lib/libc-2.7.so
00395000-00398000 rwxp 00395000 00:00 0 
00398000-00476000 r-xp 00000000 08:09 7645279    /usr/lib/libstdc++.so.6.0.8
00476000-00479000 r-xp 000dd000 08:09 7645279    /usr/lib/libstdc++.so.6.0.8
00479000-0047b000 rwxp 000e0000 08:09 7645279    /usr/lib/libstdc++.so.6.0.8
0047b000-00481000 rwxp 0047b000 00:00 0 
00481000-004a8000 r-xp 00000000 08:09 7158620    /lib/libm-2.7.so
004a8000-004a9000 r-xp 00026000 08:09 7158620    /lib/libm-2.7.so
004a9000-004aa000 rwxp 00027000 08:09 7158620    /lib/libm-2.7.so
004aa000-004b5000 r-xp 00000000 08:09 7155204    /lib/libgcc_s-4.1.2-20071124.so.1
004b5000-004b6000 rwxp 0000a000 08:09 7155204    /lib/libgcc_s-4.1.2-20071124.so.1
004b6000-004cb000 r-xp 00000000 08:09 7155321    /lib/libtinfo.so.5.6
004cb000-004ce000 rwxp 00014000 08:09 7155321    /lib/libtinfo.so.5.6
004ce000-004e1000 r-xp 00000000 08:09 3368871    /usr/lib/lftp/3.5.14/proto-http.so
004e1000-004e2000 rwxp 00013000 08:09 3368871    /usr/lib/lftp/3.5.14/proto-http.so
004e2000-004fd000 r-xp 00000000 08:09 3368678   
/usr/lib/lftp/3.5.14/liblftp-network.so
004fd000-004ff000 rwxp 0001a000 08:09 3368678   
/usr/lib/lftp/3.5.14/liblftp-network.so
004ff000-00503000 rwxp 004ff000 00:00 0 
00503000-00548000 r-xp 00000000 08:09 7155326    /lib/libssl.so.0.9.8g
00548000-0054c000 rwxp 00045000 08:09 7155326    /lib/libssl.so.0.9.8g
0054c000-00684000 r-xp 00000000 08:09 7155250    /lib/libcrypto.so.0.9.8g
00684000-00697000 rwxp 00137000 08:09 7155250    /lib/libcrypto.so.0.9.8g
00697000-0069b000 rwxp 00697000 00:00 0 
0069b000-006c7000 r-xp 00000000 08:09 7645694    /usr/lib/libgssapi_krb5.so.2.2
006c7000-006c8000 rwxp 0002c000 08:09 7645694    /usr/lib/libgssapi_krb5.so.2.2
006c8000-00763000 r-xp 00000000 08:09 7650511    /usr/lib/libkrb5.so.3.3
00763000-00766000 rwxp 0009a000 08:09 7650511    /usr/lib/libkrb5.so.3.3
00766000-00768000 r-xp 00000000 08:09 7155309    /lib/libcom_err.so.2.1
00768000-00769000 rwxp 00001000 08:09 7155309    /lib/libcom_err.so.2.1
00769000-0078e000 r-xp 00000000 08:09 7654026    /usr/lib/libk5crypto.so.3.1
0078e000-0078f000 rwxp 00025000 08:09 7654026    /usr/lib/libk5crypto.so.3.1
0078f000-007a1000 r-xp 00000000 08:09 7157346    /lib/libz.so.1.2.3
007a1000-007a2000 rwxp 00011000 08:09 7157346    /lib/libz.so.1.2.3
007a2000-007aa000 r-xp 00000000 08:09 7658869    /usr/lib/libkrb5support.so.0.1
007aa000-007ab000 rwxp 00007000 08:09 7658869    /usr/lib/libkrb5support.so.0.1
007ab000-007ad000 r-xp 00000000 08:09 7155174    /lib/libkeyutils-1.2.so
007ad000-007ae000 rwxp 00001000 08:09 7155174    /lib/libkeyutils-1.2.so
007ae000-007c7000 r-xp 00000000 08:09 7155182    /lib/libselinux.so.1
007c7000-007c9000 rwxp 00018000 08:09 7155182    /lib/libselinux.so.1
08048000-08051000 r-xp 00000000 08:09 7646311    /usr/bin/lftp
08051000-08052000 rw-p 00008000 08:09 7646311    /usr/bin/lftp
08a38000-08a9e000 rw-p 08a38000 00:00 0 
b7c14000-b7c15000 rw-p b7c14000 00:00 0 
b7c15000-b7c1c000 r--s 00000000 08:09 7721136    /usr/lib/gconv/gconv-modules.cache
b7c1c000-b7c1d000 r--p 00cac000 08:09 7652580    /usr/lib/locale/locale-archive
b7c1d000-b7cff000 r--p 0019f000 08:09 7652580    /usr/lib/locale/locale-archive
b7cff000-b7eff000 r--p 00000000 08:09 7652580    /usr/lib/locale/locale-archive
b7eff000-b7f03000 rw-p b7eff000 00:00 0 
bfe03000-bfe18000 rw-p bffea000 00:00 0          [stack]
Aborted

(gdb) bt
#0  0x0012d402 in __kernel_vsyscall ()
#1  0x00268690 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2  0x00269f91 in abort () at abort.c:88
#3  0x002a09eb in __libc_message (do_abort=2, 
    fmt=0x368833 "*** %s ***: %s terminated\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:170
#4  0x00328b58 in __fortify_fail (msg=0x368802 "buffer overflow detected")
    at fortify_fail.c:32
#5  0x00327200 in __chk_fail () at chk_fail.c:29
#6  0x00326918 in _IO_str_chk_overflow (fp=0xbfdd896c, c=32)
    at vsprintf_chk.c:35
#7  0x002a4e8d in _IO_default_xsputn (f=0xbfdd896c, data=0x1b51dc, n=2)
    at genops.c:486
#8  0x0027bfcf in _IO_vfprintf_internal (s=0xbfdd896c, 
    format=0x1b51d7 "(%d%%) ", ap=<value optimized out>) at vfprintf.c:1590
#9  0x003269cd in ___vsprintf_chk (s=0x1c7414 "(15%)", flags=1, slen=6, 
    format=0x1b51d7 "(%d%%) ", args=0xbfdd8a50 "\017") at vsprintf_chk.c:87
#10 0x00326900 in ___sprintf_chk (s=0x1c7414 "(15%)", flags=1, slen=6, 
    format=0x1b51d7 "(%d%%) ") at sprintf_chk.c:33
#11 0x00193be9 in FileCopy::GetPercentDoneStr (this=0x8eff4d0)
    at /usr/include/bits/stdio2.h:35
#12 0x0015a14b in CopyJob::Status (this=0x8f02be8, s=0x8eed580, base=false)
    at CopyJob.cc:92
---Type <return> to continue, or q <return> to quit---
#13 0x0015a1e7 in CopyJob::ShowRunStatus (this=0x0, s=0x8eed580)
    at CopyJob.cc:102
#14 0x0013e50d in Job::ShowRunStatus (this=0x8ef3c28, sl=0x8eed580)
    at Job.cc:524
#15 0x0014b934 in mgetJob::ShowRunStatus (this=0x6, s=0x8eed580)
    at mgetJob.cc:40
#16 0x0013e50d in Job::ShowRunStatus (this=0x8ee1ff8, sl=0x8eed580)
    at Job.cc:524
#17 0x00141861 in CmdExec::ShowRunStatus (this=0x8ee1ff8, s=0x8eed580)
    at CmdExec.cc:723
#18 0x00143242 in CmdExec::Do (this=0x8ee1ff8) at CmdExec.cc:594
#19 0x00183f8c in SMTask::Schedule () at SMTask.cc:241
#20 0x0013e46d in Job::WaitDone (this=0x8ee1ff8) at Job.cc:557
#21 0x0804c3c7 in main (argc=2, argv=0xbfdd8d74) at lftp.cc:489
#22 0x00255390 in __libc_start_main (main=0x804c0b0 <main>, argc=2, 
    ubp_av=0xbfdd8d74, init=0x804f4b0 <__libc_csu_init>, 
    fini=0x804f4a0 <__libc_csu_fini>, rtld_fini=0x11e940 <_dl_fini>, 
    stack_end=0xbfdd8d6c) at libc-start.c:220
#23 0x0804b7d1 in _start ()


Version-Release number of selected component (if applicable):
3.5.14-2.1.fc9

How reproducible:
alway

Steps to Reproduce:
1. lftp http://koji.fedoraproject.org/packages/cairo/1.5.4/1.fc9/i386/
2. mget *.rpm
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Mamoru TASAKA 2007-12-11 07:14:18 UTC 
I am seeing the same problem.
Comment 2 Mamoru TASAKA 2007-12-11 07:15:12 UTC 
By the way, the lasted upstream version is 3.6.1.
Comment 3 Martin Nagy 2007-12-11 12:01:43 UTC 
Created attachment 283981 [details]
Fix the buffer size and use snprintf instead sprintf

It doesn't core dump to me, but I think I know where the problem is. Please try
this patch and let me know if it works. Thanks.
Comment 4 Mamoru TASAKA 2007-12-11 16:52:33 UTC 
(In reply to comment #3)
> Created an attachment (id=283981) [edit]
> Fix the buffer size and use snprintf instead sprintf

Seems to work for me.
Comment 5 Martin Nagy 2007-12-11 17:12:48 UTC 
Patch sent to upstream.
Comment 6 Martin Nagy 2007-12-12 06:37:54 UTC 
*** Bug 420401 has been marked as a duplicate of this bug. ***
Comment 7 Martin Nagy 2007-12-13 07:38:59 UTC 
(In reply to comment #2)
> By the way, the lasted upstream version is 3.6.1.

Yes, I know. I promise to update as soon as I have some time. Hopefully, I'll
have it done before the end of the year. Please be patient.
Comment 8 Martin Nagy 2007-12-13 08:28:57 UTC 
This issue is fixed in lftp-3.5.14-3.fc9
Fixed packages were also proposed for updates:
lftp-3.5.14-3.fc8
lftp-3.5.10-4.fc7
Comment 9 Fedora Update System 2007-12-15 17:46:28 UTC 
lftp-3.5.14-3.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2007-12-15 17:47:42 UTC 
lftp-3.5.10-4.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 bugs 2013-01-11 14:04:54 UTC 
Fixed on RHEL5 - lftp-3.7.11-4.el5_5.3, broken again on RHEL6 lftp-4.0.9-1.el6.x86_64:

*** buffer overflow detected ***: lftp terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x3592701d47]
/lib64/libc.so.6[0x35926ffc30]
/lib64/libc.so.6[0x35926ff089]
/lib64/libc.so.6(_IO_default_xsputn+0xc9)[0x35926740e9]
/lib64/libc.so.6(_IO_vfprintf+0xc60)[0x3592644ec0]
/lib64/libc.so.6(__vsprintf_chk+0x9d)[0x35926ff12d]
/lib64/libc.so.6(__sprintf_chk+0x7f)[0x35926ff06f]
/usr/lib64/liblftp-tasks.so.0(_ZN8FileInfo12MakeLongNameEv+0x168)[0x7fcc45873938]
/usr/lib64/lftp/4.0.9/proto-sftp.so(_ZN4SFtp12HandleExpectEPNS_6ExpectE+0x88e)[0x7fcc3f79a36e]
/usr/lib64/lftp/4.0.9/proto-sftp.so(_ZN4SFtp13HandleRepliesEv+0x183)[0x7fcc3f79a723]
/usr/lib64/lftp/4.0.9/proto-sftp.so(_ZN4SFtp2DoEv+0x124)[0x7fcc3f79c4e4]
/usr/lib64/liblftp-tasks.so.0(_ZN6SMTask8ScheduleEv+0x74)[0x7fcc45862fc4]
/usr/lib64/liblftp-jobs.so.0(_ZN3Job8WaitDoneEv+0xd)[0x7fcc45af24cd]
lftp[0x405af5]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x359261ecdd]
lftp[0x405139]