buffer overflow, bad string handling in network lib?
$ ftp ftp.freebsd.org login anonymous ftp ls screen fills w/ 'h' characters, repeating, presumably forever. I've also noticed this working/playing w/ another network library, but I assumed it was in my alpha code, or it's dependencies... I'll see if I can find more details, but thought I'd start by getting the word out... -bch -- Brad Harder http://twitter.com/bcharder
Re: buffer overflow, bad string handling in network lib?
On Thu, May 22, 2014 at 11:47:38AM -0700, B Harder wrote: $ ftp ftp.freebsd.org login anonymous ftp ls screen fills w/ 'h' characters, repeating, presumably forever. FWIW: I can not reproduce it, but you might get connected to another server, I got to: Trying 2001:6c8:130:800::4:21 ... Connected to ftp.beastie.tdk.net. Martin
Re: buffer overflow, bad string handling in network lib?
Select ktrace output: [...] 2486 1 ftp GIO fd 1 wrote 5 bytes ftp 2486 1 ftp RET write 5 2486 1 ftp CALL ioctl(0,TIOCGETA,0x7f7ff7b1ca98) 2486 1 ftp GIO fd 0 read 44 bytes \^B+\0\0\^C\0\0\0\0K\0\0\M-O\^E\0\0\^D\M^?\M^?\^?\^W\^U\^R\M^?\^C\^\\^Z\^Y\^Q\^S\^V\^O\^A\0\^T\M^?\M^@%\0\0\M^@%\0\0 2486 1 ftp RET ioctl 0 2486 1 ftp CALL ioctl(0,TIOCSETAW,0x7f7ff7b1ca6c) 2486 1 ftp GIO fd 0 wrote 44 bytes B+\0\0\^C\0\0\0\0K\0\0\M-C\0\0\0\M^?\M^?\M^?\^?\M^?\^U\M^?\M^?\^C\^\\^Z\M^?\^Q\^S\M^?\^O\^A\0\M^?\M^?\M^@%\0\0\M^@%\0\0 2486 1 ftp RET ioctl 0 2486 1 ftp CALL read(0,0x7f7fd580,1) 2486 1 ftp GIO fd 0 read 1 bytes l 2486 1 ftp RET read 1 2486 1 ftp CALL write(1,0x7f7ff7b0c000,1) 2486 1 ftp GIO fd 1 wrote 1 bytes l 2486 1 ftp RET write 1 2486 1 ftp CALL read(0,0x7f7fd580,1) 2486 1 ftp GIO fd 0 read 1 bytes s 2486 1 ftp RET read 1 2486 1 ftp CALL write(1,0x7f7ff7b0c000,1) 2486 1 ftp GIO fd 1 wrote 1 bytes h 2486 1 ftp RET write 1 2486 1 ftp CALL write(1,0x7f7ff7b0c000,1) 2486 1 ftp GIO fd 1 wrote 1 bytes h 2486 1 ftp RET write 1 2486 1 ftp CALL write(1,0x7f7ff7b0c000,1) 2486 1 ftp GIO fd 1 wrote 1 bytes h 2486 1 ftp RET write 1 2486 1 ftp CALL write(1,0x7f7ff7b0c000,1) 2486 1 ftp GIO fd 1 wrote 1 bytes h 2486 1 ftp RET write 1 2486 1 ftp CALL write(1,0x7f7ff7b0c000,1) 2486 1 ftp GIO fd 1 wrote 1 bytes h 2486 1 ftp RET write 1 2486 1 ftp CALL write(1,0x7f7ff7b0c000,1) 2486 1 ftp GIO fd 1 wrote 1 bytes h 2486 1 ftp RET write 1 2486 1 ftp CALL write(1,0x7f7ff7b0c000,1) 2486 1 ftp GIO fd 1 wrote 1 bytes h 2486 1 ftp RET write 1 2486 1 ftp CALL write(1,0x7f7ff7b0c000,1) 2486 1 ftp GIO fd 1 wrote 1 bytes h 2486 1 ftp RET write 1 2486 1 ftp CALL write(1,0x7f7ff7b0c000,1) 2486 1 ftp GIO fd 1 wrote 1 bytes \a 2486 1 ftp RET write 1 2486 1 ftp CALL write(1,0x7f7ff7b0c000,1) 2486 1 ftp GIO fd 1 wrote 1 bytes h 2486 1 ftp RET write 1 2486 1 ftp CALL write(1,0x7f7ff7b0c000,1) 2486 1 ftp GIO fd 1 wrote 1 bytes \a 2486 1 ftp RET write 1 2486 1 ftp CALL write(1,0x7f7ff7b0c000,1) 2486 1 ftp GIO fd 1 wrote 1 bytes [...] On 5/22/14, B Harder brad.har...@gmail.com wrote: Hi Martin. I _think_ the 'h' error starts before I even press Return... (/me tests...) kamloops$ ftp ftp.freebsd.org Trying 2001:4f8:0:2::e:21 ... ftp: Can't connect to `2001:4f8:0:2::e:21': No route to host Trying 204.152.184.73:21 ... Connected to freebsd.isc.org. 220 Welcome to freebsd.isc.org. Name (ftp.freebsd.org:bch): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp ls ^ starts spewing 'h' immediately after keying the 's' in ls. -bch On 5/22/14, Martin Husemann mar...@duskware.de wrote: On Thu, May 22, 2014 at 11:47:38AM -0700, B Harder wrote: $ ftp ftp.freebsd.org login anonymous ftp ls screen fills w/ 'h' characters, repeating, presumably forever. FWIW: I can not reproduce it, but you might get connected to another server, I got to: Trying 2001:6c8:130:800::4:21 ... Connected to ftp.beastie.tdk.net. Martin -- Brad Harder Method Logic Digital Consulting http://www.methodlogic.net/ http://twitter.com/bcharder -- Brad Harder Method Logic Digital Consulting http://www.methodlogic.net/ http://twitter.com/bcharder
Re: buffer overflow, bad string handling in network lib?
Nevermind -- it looks like a stray entry in my .editrc. If it turns out it is a real issue, I'll repost. Apologies for the noise. -bch On 5/22/14, B Harder brad.har...@gmail.com wrote: Select ktrace output: [...] 2486 1 ftp GIO fd 1 wrote 5 bytes ftp 2486 1 ftp RET write 5 2486 1 ftp CALL ioctl(0,TIOCGETA,0x7f7ff7b1ca98) 2486 1 ftp GIO fd 0 read 44 bytes \^B+\0\0\^C\0\0\0\0K\0\0\M-O\^E\0\0\^D\M^?\M^?\^?\^W\^U\^R\M^?\^C\^\\^Z\^Y\^Q\^S\^V\^O\^A\0\^T\M^?\M^@%\0\0\M^@%\0\0 2486 1 ftp RET ioctl 0 2486 1 ftp CALL ioctl(0,TIOCSETAW,0x7f7ff7b1ca6c) 2486 1 ftp GIO fd 0 wrote 44 bytes B+\0\0\^C\0\0\0\0K\0\0\M-C\0\0\0\M^?\M^?\M^?\^?\M^?\^U\M^?\M^?\^C\^\\^Z\M^?\^Q\^S\M^?\^O\^A\0\M^?\M^?\M^@%\0\0\M^@%\0\0 2486 1 ftp RET ioctl 0 2486 1 ftp CALL read(0,0x7f7fd580,1) 2486 1 ftp GIO fd 0 read 1 bytes l 2486 1 ftp RET read 1 2486 1 ftp CALL write(1,0x7f7ff7b0c000,1) 2486 1 ftp GIO fd 1 wrote 1 bytes l 2486 1 ftp RET write 1 2486 1 ftp CALL read(0,0x7f7fd580,1) 2486 1 ftp GIO fd 0 read 1 bytes s 2486 1 ftp RET read 1 2486 1 ftp CALL write(1,0x7f7ff7b0c000,1) 2486 1 ftp GIO fd 1 wrote 1 bytes h 2486 1 ftp RET write 1 2486 1 ftp CALL write(1,0x7f7ff7b0c000,1) 2486 1 ftp GIO fd 1 wrote 1 bytes h 2486 1 ftp RET write 1 2486 1 ftp CALL write(1,0x7f7ff7b0c000,1) 2486 1 ftp GIO fd 1 wrote 1 bytes h 2486 1 ftp RET write 1 2486 1 ftp CALL write(1,0x7f7ff7b0c000,1) 2486 1 ftp GIO fd 1 wrote 1 bytes h 2486 1 ftp RET write 1 2486 1 ftp CALL write(1,0x7f7ff7b0c000,1) 2486 1 ftp GIO fd 1 wrote 1 bytes h 2486 1 ftp RET write 1 2486 1 ftp CALL write(1,0x7f7ff7b0c000,1) 2486 1 ftp GIO fd 1 wrote 1 bytes h 2486 1 ftp RET write 1 2486 1 ftp CALL write(1,0x7f7ff7b0c000,1) 2486 1 ftp GIO fd 1 wrote 1 bytes h 2486 1 ftp RET write 1 2486 1 ftp CALL write(1,0x7f7ff7b0c000,1) 2486 1 ftp GIO fd 1 wrote 1 bytes h 2486 1 ftp RET write 1 2486 1 ftp CALL write(1,0x7f7ff7b0c000,1) 2486 1 ftp GIO fd 1 wrote 1 bytes \a 2486 1 ftp RET write 1 2486 1 ftp CALL write(1,0x7f7ff7b0c000,1) 2486 1 ftp GIO fd 1 wrote 1 bytes h 2486 1 ftp RET write 1 2486 1 ftp CALL write(1,0x7f7ff7b0c000,1) 2486 1 ftp GIO fd 1 wrote 1 bytes \a 2486 1 ftp RET write 1 2486 1 ftp CALL write(1,0x7f7ff7b0c000,1) 2486 1 ftp GIO fd 1 wrote 1 bytes [...] On 5/22/14, B Harder brad.har...@gmail.com wrote: Hi Martin. I _think_ the 'h' error starts before I even press Return... (/me tests...) kamloops$ ftp ftp.freebsd.org Trying 2001:4f8:0:2::e:21 ... ftp: Can't connect to `2001:4f8:0:2::e:21': No route to host Trying 204.152.184.73:21 ... Connected to freebsd.isc.org. 220 Welcome to freebsd.isc.org. Name (ftp.freebsd.org:bch): anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp ls ^ starts spewing 'h' immediately after keying the 's' in ls. -bch On 5/22/14, Martin Husemann mar...@duskware.de wrote: On Thu, May 22, 2014 at 11:47:38AM -0700, B Harder wrote: $ ftp ftp.freebsd.org login anonymous ftp ls screen fills w/ 'h' characters, repeating, presumably forever. FWIW: I can not reproduce it, but you might get connected to another server, I got to: Trying 2001:6c8:130:800::4:21 ... Connected to ftp.beastie.tdk.net. Martin -- Brad Harder Method Logic Digital Consulting http://www.methodlogic.net/ http://twitter.com/bcharder -- Brad Harder Method Logic Digital Consulting http://www.methodlogic.net/ http://twitter.com/bcharder -- Brad Harder Method Logic Digital Consulting http://www.methodlogic.net/ http://twitter.com/bcharder
