On Fri, 11 Mar 2011, Sean Purdy said: > I'm getting a buffer overflow when connecting to certain ssh servers > with lftp. > This problem does not occur with 3.7.14 on Ubuntu 8.10
Actually it does :-/ $ ./lftp-3.7 -u user,pass -p 22 sftp://ftp.somedomain.com/upload ---- Running connect program (ssh -a -x -s -l cidelivery -p 22 partner.fnacmusic.com sftp) ---> sending a packet, length=5, type=1(INIT), id=0 <--- cideliv...@partner.fnacmusic.com's password: XXXX <--- got a packet, length=954, type=2(VERSION), id=0 ---- protocol version set to 4 ---> sending a packet, length=10, type=16(REALPATH), id=1 <--- got a packet, length=19, type=104(NAME), id=1 ---- home set to / ---- checking directory `/cidelivery/Upload/Naive' ---> sending a packet, length=37, type=17(STAT), id=2 ---> sending a packet, length=39, type=17(STAT), id=3 <--- got a packet, length=58, type=105(ATTRS), id=2 <--- got a packet, length=58, type=105(ATTRS), id=3 cd ok, cwd=/upload lftp upload> ls ---- path on wire is `/upload' ---> sending a packet, length=33, type=11(OPENDIR), id=4 <--- got a packet, length=13, type=102(HANDLE), id=4 ---- got file handle 00000000 (4) ---> sending a packet, length=13, type=12(READDIR), id=5 <--- got a packet, length=2026, type=104(NAME), id=5 ---- file name count=27 *** buffer overflow detected ***: ./lftp-3.7 terminated ======= Backtrace: ========= /lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x50)[0xb7741390] /lib/tls/i686/cmov/libc.so.6(+0xe12ca)[0xb77402ca] /lib/tls/i686/cmov/libc.so.6(+0xe0a08)[0xb773fa08] /lib/tls/i686/cmov/libc.so.6(_IO_default_xsputn+0x9e)[0xb76c8afe] /lib/tls/i686/cmov/libc.so.6(_IO_vfprintf+0xe24)[0xb769ca34] /lib/tls/i686/cmov/libc.so.6(__vsprintf_chk+0xad)[0xb773fabd] /lib/tls/i686/cmov/libc.so.6(__sprintf_chk+0x2d)[0xb773f9fd] ./lftp-3.7[0x808716d] ./lftp-3.7[0x80c937c] ./lftp-3.7[0x80c97e5] ./lftp-3.7[0x80ca8c3] ./lftp-3.7[0x8074282] ./lftp-3.7[0x8051123] ./lftp-3.7[0x804dc2d] /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe6)[0xb7675bd6] ./lftp-3.7[0x804d171] ======= Memory map: ======== 08048000-080f2000 r-xp 00000000 08:08 1140796 /home/sean/lftp-3.7 080f2000-080f3000 r--p 000a9000 08:08 1140796 /home/sean/lftp-3.7 080f3000-080f5000 rw-p 000aa000 08:08 1140796 /home/sean/lftp-3.7 080f5000-080fb000 rw-p 00000000 00:00 0 0878d000-08820000 rw-p 00000000 00:00 0 [heap] b74a9000-b74aa000 rw-p 00000000 00:00 0 b74aa000-b74df000 r--s 00000000 08:06 4194551 /var/cache/nscd/group b74df000-b751e000 r--p 00000000 08:03 8388799 /usr/lib/locale/en_GB.utf8/LC_CTYPE b751e000-b751f000 r--p 00000000 08:03 8389010 /usr/lib/locale/en_GB.utf8/LC_NUMERIC b751f000-b7520000 r--p 00000000 08:03 8388842 /usr/lib/locale/en_GB.utf8/LC_TIME b7520000-b763e000 r--p 00000000 08:03 8389013 /usr/lib/locale/en_GB.utf8/LC_COLLATE b763e000-b763f000 r--p 00000000 08:03 8388843 /usr/lib/locale/en_GB.utf8/LC_MONETARY b763f000-b7640000 r--p 00000000 08:03 12644580 /usr/lib/locale/en_GB.utf8/LC_MESSAGES/SYS_LC_MESSAGES b7640000-b7641000 r--p 00000000 08:03 8388844 /usr/lib/locale/en_GB.utf8/LC_PAPER b7641000-b7642000 r--p 00000000 08:03 8414149 /usr/lib/locale/en_GB.utf8/LC_NAME b7642000-b7643000 r--p 00000000 08:03 8389102 /usr/lib/locale/en_GB.utf8/LC_ADDRESS b7643000-b7644000 r--p 00000000 08:03 8390859 /usr/lib/locale/en_GB.utf8/LC_TELEPHONE b7644000-b7646000 rw-p 00000000 00:00 0 b7646000-b765b000 r-xp 00000000 08:03 25173865 /lib/tls/i686/cmov/libpthread-2.11.1.so b765b000-b765c000 r--p 00014000 08:03 25173865 /lib/tls/i686/cmov/libpthread-2.11.1.so b765c000-b765d000 rw-p 00015000 08:03 25173865 /lib/tls/i686/cmov/libpthread-2.11.1.so b765d000-b765f000 rw-p 00000000 00:00 0 b765f000-b77b2000 r-xp 00000000 08:03 25173848 /lib/tls/i686/cmov/libc-2.11.1.so b77b2000-b77b3000 ---p 00153000 08:03 25173848 /lib/tls/i686/cmov/libc-2.11.1.so b77b3000-b77b5000 r--p 00153000 08:03 25173848 /lib/tls/i686/cmov/libc-2.11.1.so b77b5000-b77b6000 rw-p 00155000 08:03 25173848 /lib/tls/i686/cmov/libc-2.11.1.so b77b6000-b77b9000 rw-p 00000000 00:00 0 b77b9000-b77d6000 r-xp 00000000 08:03 25165989 /lib/libgcc_s.so.1 b77d6000-b77d7000 r--p 0001c000 08:03 25165989 /lib/libgcc_s.so.1 b77d7000-b77d8000 rw-p 0001d000 08:03 25165989 /lib/libgcc_s.so.1 b77d8000-b77d9000 rw-p 00000000 00:00 0 b77d9000-b77db000 r-xp 00000000 08:03 25173852 /lib/tls/i686/cmov/libdl-2.11.1.so b77db000-b77dc000 r--p 00001000 08:03 25173852 /lib/tls/i686/cmov/libdl-2.11.1.so b77dc000-b77dd000 rw-p 00002000 08:03 25173852 /lib/tls/i686/cmov/libdl-2.11.1.so b77dd000-b77ed000 r-xp 00000000 08:03 25173866 /lib/tls/i686/cmov/libresolv-2.11.1.so b77ed000-b77ee000 r--p 00010000 08:03 25173866 /lib/tls/i686/cmov/libresolv-2.11.1.so b77ee000-b77ef000 rw-p 00011000 08:03 25173866 /lib/tls/i686/cmov/libresolv-2.11.1.so b77ef000-b77f1000 rw-p 00000000 00:00 0 b77f1000-b7825000 r-xp 00000000 08:03 25220395 /lib/libncurses.so.5.7 b7825000-b7826000 ---p 00034000 08:03 25220395 /lib/libncurses.so.5.7 b7826000-b7828000 r--p 00034000 08:03 25220395 /lib/libncurses.so.5.7 b7828000-b7829000 rw-p 00036000 08:03 25220395 /lib/libncurses.so.5.7 b7829000-b782b000 r-xp 00000000 08:03 25173870 /lib/tls/i686/cmov/libutil-2.11.1.so b782b000-b782c000 r--p 00001000 08:03 25173870 /lib/tls/i686/cmov/libutil-2.11.1.so b782c000-b782d000 rw-p 00002000 08:03 25173870 /lib/tls/i686/cmov/libutil-2.11.1.so b782d000-b785c000 r-xp 00000000 08:03 25179948 /lib/libreadline.so.6.1 b785c000-b785d000 r--p 0002e000 08:03 25179948 /lib/libreadline.so.6.1 b785d000-b7860000 rw-p 0002f000 08:03 25179948 /lib/libreadline.so.6.1 b7860000-b7862000 rw-p 00000000 00:00 0 b7862000-b7869000 r-xp 00000000 08:03 25173867 /lib/tls/i686/cmov/librt-2.11.1.so b7869000-b786a000 r--p 00006000 08:03 25173867 /lib/tls/i686/cmov/librt-2.11.1.so b786a000-b786b000 rw-p 00007000 08:03 25173867 /lib/tls/i686/cmov/librt-2.11.1.so b786b000-b788f000 r-xp 00000000 08:03 25166169 /lib/libexpat.so.1.5.2 b788f000-b7891000 r--p 00024000 08:03 25166169 /lib/libexpat.so.1.5.2 b7891000-b7892000 rw-p 00026000 08:03 25166169 /lib/libexpat.so.1.5.2 b7892000-b7893000 r--p 00000000 08:03 8390860 /usr/lib/locale/en_GB.utf8/LC_MEASUREMENT b7893000-b789a000 r--s 00000000 08:03 16900518 /usr/lib/gconv/gconv-modules.cache b789a000-b789b000 r--p 00000000 08:03 8390861 /usr/lib/locale/en_GB.utf8/LC_IDENTIFICATION b789b000-b789d000 rw-p 00000000 00:00 0 b789d000-b789e000 r-xp 00000000 00:00 0 [vdso] b789e000-b78b9000 r-xp 00000000 08:03 25179898 /lib/ld-2.11.1.so b78b9000-b78ba000 r--p 0001a000 08:03 25179898 /lib/ld-2.11.1.so b78ba000-b78bb000 rw-p 0001b000 08:03 25179898 /lib/ld-2.11.1.so bfc4f000-bfc64000 rw-p 00000000 00:00 0 [stack] Aborted Sean
