Closed Bug 38300 Opened 24 years ago Closed 24 years ago

Two minor fixes for nsFtpConnectionThread.cpp

Categories

(Core :: Networking, defect, P3)

Product:
Core
Component:
Networking
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: wtc, Assigned: gagan)

Details

Attachments

(1 file)

Proposed patch.
1.92 KB, patch
Details | Diff | Splinter Review 
I'm going to attach a patch that contains two fixes
for mozilla/netwerk/protocol/ftp/src/nsFtpConnectionThread.cpp.

1. In nsFtpConnectionThread::R_pasv(), we have
    PRInt32 h0, h1, h2, h3, p0, p1;
    ...
    PRInt32 fields = PR_sscanf(ptr,
#ifdef __alpha
        "%d,%d,%d,%d,%d,%d",
#else
        "%ld,%ld,%ld,%ld,%ld,%ld",
#endif
        &h0, &h1, &h2, &h3, &p0, &p1);

  The #ifdef __alpha is not needed.  The %ld format
  for PR_snprintf and PR_sscanf specifies PRInt32, not
  long.  I checked our documentation
  (http://www.mozilla.org/docs/refList/refNSPR/prprf.html)
  and found that this is not clearly documented.
      %hd   PRInt16
      %d    PRIntn
      %ld   PRInt32
      %lld  PRInt64

2. In nsFtpConnectionThread::R_pasv(), the while loop
  to find the beginning of the returned address string
  is not robust against a malformed response.
    // The returned address string can be of the form
    // (xxx,xxx,xxx,xxx,ppp,ppp) or
    //  xxx,xxx,xxx,xxx,ppp,ppp (without parens)
    ptr = response;
    while (*ptr++) {
        if (*ptr == '(') {
            // move just beyond the open paren
            ptr++;
            break;
        }
        if (*ptr == ',') {
            ptr--;
            // backup to the start of the digits
            while ( (*ptr >= '0') && (*ptr <= '9'))
                ptr--;
            ptr++; // get back onto the numbers
            break;
        }
    } // end while

  The ++ in 'while (*ptr++)' will move 'ptr' beyond
  the terminating null byte if 'response' does not
  contain any '(' and ','.

  The inner while loop, which moves 'ptr' backward,
  needs to check for (ptr >= response) to prevent
  'ptr' from moving past the beginning of 'response'.
  A problematic malformed 'response' for this would
  be "9,9".

Copied jgmyers because this is in the area that his
IPv6 FTP patch touches (bug #28874).
Attached patch Proposed patch.Splinter Review 

    
    

    
  
The conflict between this patch and bug #28874 is trivial to resolve--it's just 
a difference of indentation.


    
    

    
  
will check this in tonite. thx wtc.
Status: NEW → ASSIGNED
Target Milestone: --- → M16

    
    

    
  
checked in. 
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED

    
    

    
  
I verified the fix.  Thanks Gagan.
Status: RESOLVED → VERIFIED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: