netbsd-bugs: Re: Possible bug with ls or ftpd ?

Subject: Re: Possible bug with ls or ftpd ?
To: Frank DENIS \(Jedi/Sector One\) <j@4u.net>
From: Jeremy C. Reed <reed@reedmedia.net>
List: netbsd-bugs
Date: 03/16/2001 14:42:20

On Thu, 15 Mar 2001, Frank DENIS (Jedi/Sector One) wrote:

> ftp ftp.netbsd.org
> 230 Guest login ok, access restrictions apply.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp>  ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*

Thanks for the information. Please note that this is not truly a
"ftpd" bug, but this is a problem libc's glob().

FreeBSD has a simple workaround (fix?) which I changed for NetBSD. It
seems to fix the problem for me.


--- __glob13.c.orig  Fri Mar 16 14:29:59 2001
+++ /usr/src/lib/libc/gen/__glob13.c    Fri Mar 16 14:22:37 2001
@@ -102,6 +102,9 @@
     "warning: reference to compatibility globfree(); include <glob.h> for
correct reference")
 #endif
 
+/* only allow a max amount of entries */
+#define MAX_GLOBENTRIES 10000
+
 #define        DOLLAR          '$'
 #define        DOT             '.'
 #define        EOS             '\0'
@@ -712,12 +715,14 @@
 {
        char **pathv;
        int i;
-       size_t newsize;
+       u_int newsize;
        char *copy;
        const Char *p;
 
        _DIAGASSERT(path != NULL);
        _DIAGASSERT(pglob != NULL);
+
+       if (pglob->gl_pathc > MAX_GLOBENTRIES) return (GLOB_ABORTED);
 
        newsize = sizeof(*pathv) * (2 + pglob->gl_pathc + pglob->gl_offs);
        pathv = pglob->gl_pathv ? 


   Jeremy C. Reed
   http://www.reedmedia.net/