Re: [PATCH] lftp crashes on long ipv6 bookmarks

Mon, 05 Sep 2005 04:39:45 -0700 

On Sun, Sep 04, 2005 at 11:08:28AM +0200, Thomas Glanzmann wrote:
> The problems seems to be that the buffer in 'char
> *s=string_alloca(strlen(path)*2+40);' is a bit to short. When I raised
> the 40 in 'increment by one till 45' it doesn't segfault for in 45
> anylonger. I didn't understood the code but it seems like a simple
> buffer overflow and that raising the value of '40' to hold an unquoted
> ipv6 address in a worst case scenario should be enough.

Thanks for finding the problem. Here is my patch, which fixes besides this
problem another one with `open ftp.example.com/path' (without explicit
protocol).

--
   Alexander.

Index: commands.cc
===================================================================
RCS file: /home/lav/cvsroot/lftp/src/commands.cc,v
retrieving revision 1.226
diff -u -p -r1.226 commands.cc
--- commands.cc 3 Aug 2005 07:12:47 -0000       1.226
+++ commands.cc 5 Sep 2005 11:28:39 -0000
@@ -859,22 +859,26 @@ Job *CmdExec::builtin_open()
       {
         url=new ParsedURL(host);
 
+        if(!url->proto && url->host)
+        {
+           const char *p=ResMgr::Query("cmd:default-protocol",url->host);
+           if(!p)
+              p="ftp";
+           char *u=string_alloca(strlen(p)+3+strlen(host)+1);
+           sprintf(u,"%s://%s",p,host);
+           delete url;
+           url=new ParsedURL(u);
+        }
+
         const ParsedURL &uc=*url;
-        if(uc.host && uc.host[0])
+        if(uc.host && uc.host[0] && uc.proto)
         {
            cwd_history.Set(session,session->GetCwd());
 
-           FileAccess *new_session=0;
-
-           const char *p=uc.proto;
-           if(!p)
-              p=ResMgr::Query("cmd:default-protocol",uc.host);
-           if(!p)
-              p="ftp";
-           new_session=FileAccess::New(p,uc.host);
+           FileAccess *new_session=FileAccess::New(uc.proto,uc.host);
            if(!new_session)
            {
-              eprintf("%s: %s%s\n",args->a0(),p,
+              eprintf("%s: %s%s\n",args->a0(),uc.proto,
                        _(" - not supported protocol"));
               return 0;
            }
@@ -968,9 +972,10 @@ Job *CmdExec::builtin_open()
         session->SetCwd(FileAccess::Path(old,is_file,url));
       }
 
-      char *s=string_alloca(strlen(path)*2+40);
+      const char *cd_arg=(url && url->orig_url)?url->orig_url:path;
+      char *s=string_alloca(strlen(cd_arg)*2+40);
       strcpy(s,"&& cd \"");
-      unquote(s+strlen(s),(url && url->orig_url)?url->orig_url:path);
+      unquote(s+strlen(s),cd_arg);
       strcat(s,"\"");
       if(background)
         strcat(s,"&");

Reply via email to