Hello Alex,
this was a tricky one, because it only happened when I compiled it
without debugging symbols. Lftp segfaulted when I opened a long ipv6
address. The problem was that the value of 'ParsedURL *url=0;' in 'job
*CmdExec::builtin_open()' was overwritten by the
'unquote(s+strlen(s),(url && url->orig_url)?url->orig_url:path);'
statement. It segfaulted for me on the 'delete url;' statement, because
url pointed to a corrupted value. The stuff is in src/commands.cc
The problems seems to be that the buffer in 'char
*s=string_alloca(strlen(path)*2+40);' is a bit to short. When I raised
the 40 in 'increment by one till 45' it doesn't segfault for in 45
anylonger. I didn't understood the code but it seems like a simple
buffer overflow and that raising the value of '40' to hold an unquoted
ipv6 address in a worst case scenario should be enough.
"FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF\0" == 40. Maybe the unqupoting
function needs more space or whatever. I have no idea.
Maybe you can reproduce it using lftp-3.3.0 on Debian Sarge Function
compiled with:
./configure --with-openssl
simple ftp://login:[EMAIL PROTECTED]/
(faui05) [/var/tmp/sithglan/lftp-3.3.0] lftp simple
Segmentation fault (core dumped)
For a quick fix I raised 40 to 80.
Thanks,
Thomas
--- a/src/commands.cc
+++ b/src/commands.cc
@@ -968,7 +968,7 @@
session->SetCwd(FileAccess::Path(old,is_file,url));
}
- char *s=string_alloca(strlen(path)*2+40);
+ char *s=string_alloca(strlen(path)*2+80);
strcpy(s,"&& cd \"");
unquote(s+strlen(s),(url && url->orig_url)?url->orig_url:path);
strcat(s,"\"");
