Closed Bug 807555 Opened 13 years ago Closed 13 years ago

FTP crash if server reply is missing directory

Categories

(Core Graveyard :: Networking: FTP, defect)

Product:
Core Graveyard
Component:
Networking: FTP
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
mozilla19

People

(Reporter: sczimmer, Assigned: jduell.mcbugs)

Details

Attachments

(2 files)

callstack
6.13 KB, text/plain
Details
v1
961 bytes, patch
michal
: review+
Details | Diff | Splinter Review
In response to 'PWD', normally FTP servers send something with some text between the quotes like: 257 "/" is current directory. The ftp server on RICOH Aficio printers sends: 257 "" is current option. in nsFtpConnectionThread, nsFtpState::R_pwd() cuts out the part of the response between quotes and then calls respStr.Last() calling Last() on an empty string crashes the browser
"crashes the browser": sounds like this could be invoked simply by redirecting users to an FTP server that omits the "/". Deterministic crashes get sec-critical, right?
Group: core-security
Keywords: sec-critical
Note I haven't confirmed this.
Summary: nsFtpConnectionThread → FTP crash if server reply is missing directory
(In reply to Jason Duell (:jduell) from comment #1) > Deterministic crashes get sec-critical, right? Only if it's an exploitable crash - no evidence that this is at the moment, looks to me like just a null deref?
Keywords: sec-critical
It is a deterministic crash, but it is not exploitable. It seg faults at: 'return mData[mLength - 1];' since mLength is 0 so mLength - 1 = 0xffffffff so it's not quite a null deref, but it crashes trying to deref mData + 0xffffffff Even if the attacker could somehow map and control the value at that address, there's still no chance of an exploit as it just reads the value and compares it with '/' to decide if it needs to add a '/' to the end of the string If you want to reproduce it, any of these ftp servers should crash firefox http://www.shodanhq.com/search?q=RICOH+aficio+port%3A21
Attached file callstack
Still nice find. Adding the callstack of the crash.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Does this bug need to still be hidden? I assume no.
Attached patch v1Splinter Review
I've verified this fixes the crash on ftp://math-copier.acadiau.ca
Assignee: nobody → jduell.mcbugs
Status: NEW → ASSIGNED
Attachment #677893 - Flags: review?
Comment on attachment 677893 [details] [diff] [review] v1 Bugzilla decides to post a little, easily-missed message if the requestee's :nickname is ambiguous. Not a feature...
Attachment #677893 - Flags: review? → review?(michal.novotny)
Attachment #677893 - Flags: review?(michal.novotny) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/49258354b9d0 Making public based on comment 4.
Group: core-security
https://hg.mozilla.org/mozilla-central/rev/49258354b9d0
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla19
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: