>Number:         12425
>Category:       bin
>Synopsis:       glob() can use of resources (patch included)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Fri Mar 16 14:38:00 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     Jeremy C. Reed
>Release:        1.5.1_ALPHA
>Organization:
	
>Environment:
	
System: NetBSD rainier 1.5.1_ALPHA NetBSD 1.5.1_ALPHA (JCR-1.5-20010108) #0: Mon Jan 8 09:25:45 PST 2001 reed@rainier:/usr/src/sys/arch/i386/compile/JCR-1.5-20010108 i386


>Description:
netbsd-bugs received an email and 
Bugtraq has had some postings about an "ls" based DoS via ftpd.
This is a patch to workaround it. It is very similar to FreeBSD's patch.
>How-To-Repeat:
ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*

After patch (and csh rebuilt):
% ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*
*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*: Internal glob error.
>Fix:
(How do I make a diff without the RCS/ident tags?)

--- __glob13.c	Fri Mar 16 14:29:59 2001
+++ /usr/src/lib/libc/gen/__glob13.c	Fri Mar 16 14:22:37 2001
@@ -102,6 +102,9 @@
     "warning: reference to compatibility globfree(); include <glob.h> for correct reference")
 #endif
 
+/* only allow a max amount of entries */
+#define MAX_GLOBENTRIES 10000
+
 #define	DOLLAR		'$'
 #define	DOT		'.'
 #define	EOS		'\0'
@@ -712,12 +715,14 @@
 {
 	char **pathv;
 	int i;
-	size_t newsize;
+	u_int newsize;
 	char *copy;
 	const Char *p;
 
 	_DIAGASSERT(path != NULL);
 	_DIAGASSERT(pglob != NULL);
+
+	if (pglob->gl_pathc > MAX_GLOBENTRIES) return (GLOB_ABORTED);
 
 	newsize = sizeof(*pathv) * (2 + pglob->gl_pathc + pglob->gl_offs);
 	pathv = pglob->gl_pathv ? 

>Release-Note:
>Audit-Trail:
>Unformatted: