svn commit: r186405 - head/libexec/ftpd head/sys/kern releng/6.3 releng/6.3/libexec/ftpd releng/6.3/sys/conf releng/6.3/sys/kern releng/6.4 releng/6.4/libexec/ftpd releng/6.4/sys/conf releng/6.4/sy...
Author: cperciva
Date: Tue Dec 23 01:23:09 2008
New Revision: 186405
URL: http://svn.freebsd.org/changeset/base/186405
Log:
Prevent cross-site forgery attacks on ftpd(8) due to splitting
long commands into multiple requests. [08:12]
Avoid calling uninitialized function pointers in protocol switch
code. [08:13]
Merry Christmas everybody...
Approved by: so (cperciva)
Approved by: re (kensmith)
Security: FreeBSD-SA-08:12.ftpd, FreeBSD-SA-08:13.protosw
Modified:
stable/7/libexec/ftpd/extern.h
stable/7/libexec/ftpd/ftpcmd.y
stable/7/libexec/ftpd/ftpd.c
stable/7/sys/kern/uipc_domain.c
Changes in other areas also in this revision:
Modified:
head/libexec/ftpd/extern.h
head/libexec/ftpd/ftpcmd.y
head/libexec/ftpd/ftpd.c
head/sys/kern/uipc_domain.c
releng/6.3/UPDATING
releng/6.3/libexec/ftpd/extern.h
releng/6.3/libexec/ftpd/ftpcmd.y
releng/6.3/libexec/ftpd/ftpd.c
releng/6.3/sys/conf/newvers.sh
releng/6.3/sys/kern/uipc_domain.c
releng/6.4/UPDATING
releng/6.4/libexec/ftpd/extern.h
releng/6.4/libexec/ftpd/ftpcmd.y
releng/6.4/libexec/ftpd/ftpd.c
releng/6.4/sys/conf/newvers.sh
releng/6.4/sys/kern/uipc_domain.c
releng/7.0/UPDATING
releng/7.0/libexec/ftpd/extern.h
releng/7.0/libexec/ftpd/ftpcmd.y
releng/7.0/libexec/ftpd/ftpd.c
releng/7.0/sys/conf/newvers.sh
releng/7.0/sys/kern/uipc_domain.c
releng/7.1/UPDATING
releng/7.1/libexec/ftpd/extern.h
releng/7.1/libexec/ftpd/ftpcmd.y
releng/7.1/libexec/ftpd/ftpd.c
releng/7.1/sys/kern/uipc_domain.c
stable/6/libexec/ftpd/extern.h
stable/6/libexec/ftpd/ftpcmd.y
stable/6/libexec/ftpd/ftpd.c
stable/6/sys/kern/uipc_domain.c
Modified: stable/7/libexec/ftpd/extern.h
==
--- stable/7/libexec/ftpd/extern.h Tue Dec 23 01:22:57 2008
(r186404)
+++ stable/7/libexec/ftpd/extern.h Tue Dec 23 01:23:09 2008
(r186405)
@@ -46,7 +46,7 @@ void fatalerror(char *);
voidftpd_logwtmp(char *, char *, struct sockaddr *addr);
intftpd_pclose(FILE *);
FILE *ftpd_popen(char *, char *);
-char *getline(char *, int, FILE *);
+intgetline(char *, int, FILE *);
void lreply(int, const char *, ...) __printflike(2, 3);
void makedir(char *);
void nack(char *);
Modified: stable/7/libexec/ftpd/ftpcmd.y
==
--- stable/7/libexec/ftpd/ftpcmd.y Tue Dec 23 01:22:57 2008
(r186404)
+++ stable/7/libexec/ftpd/ftpcmd.y Tue Dec 23 01:23:09 2008
(r186405)
@@ -1191,7 +1191,7 @@ lookup(struct tab *p, char *cmd)
/*
* getline - a hacked up version of fgets to ignore TELNET escape codes.
*/
-char *
+int
getline(char *s, int n, FILE *iop)
{
int c;
@@ -1207,7 +1207,7 @@ getline(char *s, int n, FILE *iop)
if (ftpdebug)
syslog(LOG_DEBUG, command: %s, s);
tmpline[0] = '\0';
- return(s);
+ return(0);
}
if (c == 0)
tmpline[0] = '\0';
@@ -1244,13 +1244,24 @@ getline(char *s, int n, FILE *iop)
}
}
*cs++ = c;
- if (--n = 0 || c == '\n')
+ if (--n = 0) {
+ /*
+* If command doesn't fit into buffer, discard the
+* rest of the command and indicate truncation.
+* This prevents the command to be split up into
+* multiple commands.
+*/
+ while (c != '\n' (c = getc(iop)) != EOF)
+ ;
+ return (-2);
+ }
+ if (c == '\n')
break;
}
got_eof:
sigprocmask(SIG_SETMASK, osset, NULL);
if (c == EOF cs == s)
- return (NULL);
+ return (-1);
*cs++ = '\0';
if (ftpdebug) {
if (!guest strncasecmp(pass , s, 5) == 0) {
@@ -1270,7 +1281,7 @@ got_eof:
syslog(LOG_DEBUG, command: %.*s, len, s);
}
}
- return (s);
+ return (0);
}
static void
@@ -1300,9 +1311,14 @@ yylex(void)
case CMD:
(void) signal(SIGALRM, toolong);
(void) alarm(timeout);
- if (getline(cbuf, sizeof(cbuf)-1, stdin) == NULL) {
+ n = getline(cbuf, sizeof(cbuf)-1, stdin);
+ if (n == -1) {
reply(221, You could at least say goodbye.);
dologout(0);
+ } else if (n == -2) {
+ reply(500, Command too long.);
+ (void) alarm(0);
+
svn commit: r186405 - head/libexec/ftpd head/sys/kern releng/6.3 releng/6.3/libexec/ftpd releng/6.3/sys/conf releng/6.3/sys/kern releng/6.4 releng/6.4/libexec/ftpd releng/6.4/sys/conf releng/6.4/sy...
Author: cperciva
Date: Tue Dec 23 01:23:09 2008
New Revision: 186405
URL: http://svn.freebsd.org/changeset/base/186405
Log:
Prevent cross-site forgery attacks on ftpd(8) due to splitting
long commands into multiple requests. [08:12]
Avoid calling uninitialized function pointers in protocol switch
code. [08:13]
Merry Christmas everybody...
Approved by: so (cperciva)
Approved by: re (kensmith)
Security: FreeBSD-SA-08:12.ftpd, FreeBSD-SA-08:13.protosw
Modified:
head/libexec/ftpd/extern.h
head/libexec/ftpd/ftpcmd.y
head/libexec/ftpd/ftpd.c
head/sys/kern/uipc_domain.c
Changes in other areas also in this revision:
Modified:
releng/6.3/UPDATING
releng/6.3/libexec/ftpd/extern.h
releng/6.3/libexec/ftpd/ftpcmd.y
releng/6.3/libexec/ftpd/ftpd.c
releng/6.3/sys/conf/newvers.sh
releng/6.3/sys/kern/uipc_domain.c
releng/6.4/UPDATING
releng/6.4/libexec/ftpd/extern.h
releng/6.4/libexec/ftpd/ftpcmd.y
releng/6.4/libexec/ftpd/ftpd.c
releng/6.4/sys/conf/newvers.sh
releng/6.4/sys/kern/uipc_domain.c
releng/7.0/UPDATING
releng/7.0/libexec/ftpd/extern.h
releng/7.0/libexec/ftpd/ftpcmd.y
releng/7.0/libexec/ftpd/ftpd.c
releng/7.0/sys/conf/newvers.sh
releng/7.0/sys/kern/uipc_domain.c
releng/7.1/UPDATING
releng/7.1/libexec/ftpd/extern.h
releng/7.1/libexec/ftpd/ftpcmd.y
releng/7.1/libexec/ftpd/ftpd.c
releng/7.1/sys/kern/uipc_domain.c
stable/6/libexec/ftpd/extern.h
stable/6/libexec/ftpd/ftpcmd.y
stable/6/libexec/ftpd/ftpd.c
stable/6/sys/kern/uipc_domain.c
stable/7/libexec/ftpd/extern.h
stable/7/libexec/ftpd/ftpcmd.y
stable/7/libexec/ftpd/ftpd.c
stable/7/sys/kern/uipc_domain.c
Modified: head/libexec/ftpd/extern.h
==
--- head/libexec/ftpd/extern.h Tue Dec 23 01:22:57 2008(r186404)
+++ head/libexec/ftpd/extern.h Tue Dec 23 01:23:09 2008(r186405)
@@ -46,7 +46,7 @@ void fatalerror(char *);
voidftpd_logwtmp(char *, char *, struct sockaddr *addr);
intftpd_pclose(FILE *);
FILE *ftpd_popen(char *, char *);
-char *getline(char *, int, FILE *);
+intgetline(char *, int, FILE *);
void lreply(int, const char *, ...) __printflike(2, 3);
void makedir(char *);
void nack(char *);
Modified: head/libexec/ftpd/ftpcmd.y
==
--- head/libexec/ftpd/ftpcmd.y Tue Dec 23 01:22:57 2008(r186404)
+++ head/libexec/ftpd/ftpcmd.y Tue Dec 23 01:23:09 2008(r186405)
@@ -1191,7 +1191,7 @@ lookup(struct tab *p, char *cmd)
/*
* getline - a hacked up version of fgets to ignore TELNET escape codes.
*/
-char *
+int
getline(char *s, int n, FILE *iop)
{
int c;
@@ -1207,7 +1207,7 @@ getline(char *s, int n, FILE *iop)
if (ftpdebug)
syslog(LOG_DEBUG, command: %s, s);
tmpline[0] = '\0';
- return(s);
+ return(0);
}
if (c == 0)
tmpline[0] = '\0';
@@ -1244,13 +1244,24 @@ getline(char *s, int n, FILE *iop)
}
}
*cs++ = c;
- if (--n = 0 || c == '\n')
+ if (--n = 0) {
+ /*
+* If command doesn't fit into buffer, discard the
+* rest of the command and indicate truncation.
+* This prevents the command to be split up into
+* multiple commands.
+*/
+ while (c != '\n' (c = getc(iop)) != EOF)
+ ;
+ return (-2);
+ }
+ if (c == '\n')
break;
}
got_eof:
sigprocmask(SIG_SETMASK, osset, NULL);
if (c == EOF cs == s)
- return (NULL);
+ return (-1);
*cs++ = '\0';
if (ftpdebug) {
if (!guest strncasecmp(pass , s, 5) == 0) {
@@ -1270,7 +1281,7 @@ got_eof:
syslog(LOG_DEBUG, command: %.*s, len, s);
}
}
- return (s);
+ return (0);
}
static void
@@ -1300,9 +1311,14 @@ yylex(void)
case CMD:
(void) signal(SIGALRM, toolong);
(void) alarm(timeout);
- if (getline(cbuf, sizeof(cbuf)-1, stdin) == NULL) {
+ n = getline(cbuf, sizeof(cbuf)-1, stdin);
+ if (n == -1) {
reply(221, You could at least say goodbye.);
dologout(0);
+ } else if (n == -2) {
+ reply(500, Command too long.);
+ (void) alarm(0);
+ continue;
svn commit: r186405 - head/libexec/ftpd head/sys/kern releng/6.3 releng/6.3/libexec/ftpd releng/6.3/sys/conf releng/6.3/sys/kern releng/6.4 releng/6.4/libexec/ftpd releng/6.4/sys/conf releng/6.4/sy...
Author: cperciva
Date: Tue Dec 23 01:23:09 2008
New Revision: 186405
URL: http://svn.freebsd.org/changeset/base/186405
Log:
Prevent cross-site forgery attacks on ftpd(8) due to splitting
long commands into multiple requests. [08:12]
Avoid calling uninitialized function pointers in protocol switch
code. [08:13]
Merry Christmas everybody...
Approved by: so (cperciva)
Approved by: re (kensmith)
Security: FreeBSD-SA-08:12.ftpd, FreeBSD-SA-08:13.protosw
Modified:
releng/6.3/UPDATING
releng/6.3/libexec/ftpd/extern.h
releng/6.3/libexec/ftpd/ftpcmd.y
releng/6.3/libexec/ftpd/ftpd.c
releng/6.3/sys/conf/newvers.sh
releng/6.3/sys/kern/uipc_domain.c
releng/6.4/UPDATING
releng/6.4/libexec/ftpd/extern.h
releng/6.4/libexec/ftpd/ftpcmd.y
releng/6.4/libexec/ftpd/ftpd.c
releng/6.4/sys/conf/newvers.sh
releng/6.4/sys/kern/uipc_domain.c
releng/7.0/UPDATING
releng/7.0/libexec/ftpd/extern.h
releng/7.0/libexec/ftpd/ftpcmd.y
releng/7.0/libexec/ftpd/ftpd.c
releng/7.0/sys/conf/newvers.sh
releng/7.0/sys/kern/uipc_domain.c
releng/7.1/UPDATING
releng/7.1/libexec/ftpd/extern.h
releng/7.1/libexec/ftpd/ftpcmd.y
releng/7.1/libexec/ftpd/ftpd.c
releng/7.1/sys/kern/uipc_domain.c
Changes in other areas also in this revision:
Modified:
head/libexec/ftpd/extern.h
head/libexec/ftpd/ftpcmd.y
head/libexec/ftpd/ftpd.c
head/sys/kern/uipc_domain.c
stable/6/libexec/ftpd/extern.h
stable/6/libexec/ftpd/ftpcmd.y
stable/6/libexec/ftpd/ftpd.c
stable/6/sys/kern/uipc_domain.c
stable/7/libexec/ftpd/extern.h
stable/7/libexec/ftpd/ftpcmd.y
stable/7/libexec/ftpd/ftpd.c
stable/7/sys/kern/uipc_domain.c
Modified: releng/6.3/UPDATING
==
--- releng/6.3/UPDATING Tue Dec 23 01:22:57 2008(r186404)
+++ releng/6.3/UPDATING Tue Dec 23 01:23:09 2008(r186405)
@@ -8,6 +8,13 @@ Items affecting the ports and packages s
/usr/ports/UPDATING. Please read that file before running
portupgrade.
+20081223: p7 FreeBSD-SA-08:12.ftpd, FreeBSD-SA-08:13.protosw
+ Prevent cross-site forgery attacks on ftpd(8) due to splitting
+ long commands into multiple requests. [08:12]
+
+ Avoid calling uninitialized function pointers in protocol switch
+ code. [08:13]
+
20081124: p6 FreeBSD-SA-08:11.arc4random
Make sure arc4random(9) is properly seeded when /etc/rc.d/initrandom
returns.
Modified: releng/6.3/libexec/ftpd/extern.h
==
--- releng/6.3/libexec/ftpd/extern.hTue Dec 23 01:22:57 2008
(r186404)
+++ releng/6.3/libexec/ftpd/extern.hTue Dec 23 01:23:09 2008
(r186405)
@@ -46,7 +46,7 @@ void fatalerror(char *);
voidftpd_logwtmp(char *, char *, struct sockaddr *addr);
intftpd_pclose(FILE *);
FILE *ftpd_popen(char *, char *);
-char *getline(char *, int, FILE *);
+intgetline(char *, int, FILE *);
void lreply(int, const char *, ...) __printflike(2, 3);
void makedir(char *);
void nack(char *);
Modified: releng/6.3/libexec/ftpd/ftpcmd.y
==
--- releng/6.3/libexec/ftpd/ftpcmd.yTue Dec 23 01:22:57 2008
(r186404)
+++ releng/6.3/libexec/ftpd/ftpcmd.yTue Dec 23 01:23:09 2008
(r186405)
@@ -1191,7 +1191,7 @@ lookup(struct tab *p, char *cmd)
/*
* getline - a hacked up version of fgets to ignore TELNET escape codes.
*/
-char *
+int
getline(char *s, int n, FILE *iop)
{
int c;
@@ -1207,7 +1207,7 @@ getline(char *s, int n, FILE *iop)
if (ftpdebug)
syslog(LOG_DEBUG, command: %s, s);
tmpline[0] = '\0';
- return(s);
+ return(0);
}
if (c == 0)
tmpline[0] = '\0';
@@ -1244,13 +1244,24 @@ getline(char *s, int n, FILE *iop)
}
}
*cs++ = c;
- if (--n = 0 || c == '\n')
+ if (--n = 0) {
+ /*
+* If command doesn't fit into buffer, discard the
+* rest of the command and indicate truncation.
+* This prevents the command to be split up into
+* multiple commands.
+*/
+ while (c != '\n' (c = getc(iop)) != EOF)
+ ;
+ return (-2);
+ }
+ if (c == '\n')
break;
}
got_eof:
sigprocmask(SIG_SETMASK, osset, NULL);
if (c == EOF cs == s)
- return (NULL);
+ return (-1);
*cs++ = '\0';
if (ftpdebug) {
if (!guest strncasecmp(pass , s, 5) == 0) {
