Fellow cURLers,

I've run afoul of some of the directory handling logic in ftp.c. When reusing
connections while changing the value of the FTP_FILEMETHOD option, a previously
deallocated dirs array in the ftp_conn structure gets used, resulting in a SEGV.

Following is a patch (against the version of ftp.c in 7.18.2) and a test program
(hacked from the lib500.c test case) that demonstrates the problem with an
unpatched ftp.c.

Sincerely,
Scott Barrett

diff -u ftp.c.orig ftp.c
--- ftp.c.orig Mon Jul 7 11:47:36 2008
+++ ftp.c Mon Jul 7 11:47:54 2008
@@ -279,6 +279,7 @@
      }
      free(ftpc->dirs);
      ftpc->dirs = NULL;
+ ftpc->dirdepth = 0;
    }
    if(ftpc->file) {
      free(ftpc->file);

/*****************************************************************************
  * _ _ ____ _
  * Project ___| | | | _ \| |
  * / __| | | | |_) | |
  * | (__| |_| | _ <| |___
  * \___|\___/|_| \_\_____|
  *
  * $Id: lib500.c,v 1.7 2008-05-22 21:49:52 danf Exp $
  */

#include "test.h"

int test(char *URL)
{
   CURLcode res;
   CURL *curl;

   if (curl_global_init(CURL_GLOBAL_ALL) != CURLE_OK) {
     fprintf(stderr, "curl_global_init() failed\n");
     return TEST_ERR_MAJOR_BAD;
   }

   if ((curl = curl_easy_init()) == NULL) {
     fprintf(stderr, "curl_easy_init() failed\n");
     curl_global_cleanup();
     return TEST_ERR_MAJOR_BAD;
   }

   //
   // Begin with cURL set to use a single CWD to the URL's directory.
   //
   curl_easy_setopt(curl, CURLOPT_URL, URL);
   curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L);
   curl_easy_setopt(curl, CURLOPT_FTP_FILEMETHOD, CURLFTPMETHOD_SINGLECWD);

   res = curl_easy_perform(curl);

   //
   // Change the FTP_FILEMETHOD option to use full paths rather than a CWD
   // command. Alter the URL's path a bit, appending a "./". Use an innocuous
   // QUOTE command, after which cURL will CWD to ftp_conn->entrypath and then
   // (on the next call to ftp_statemach_act) find a non-zero ftpconn->dirdepth
   // even though no directories are stored in the ftpconn->dirs array (after a
   // call to freedirs).
   //
   char* newURL = strcat (strcpy ((char*)malloc (strlen (URL) + 3),
                                 URL),
                         "./");
   struct curl_slist *slist = curl_slist_append (NULL, "SYST");

   curl_easy_setopt(curl, CURLOPT_URL, newURL);
   curl_easy_setopt(curl, CURLOPT_FTP_FILEMETHOD, CURLFTPMETHOD_NOCWD);
   curl_easy_setopt(curl, CURLOPT_QUOTE, slist);

   res = curl_easy_perform(curl);

   curl_slist_free_all(slist);
   free(newURL);
   curl_easy_cleanup(curl);
   curl_global_cleanup();

   return (int)res;
}

int
main (int argc,
       char** argv)
   {
     if (argc < 2)
       {
        fprintf (stderr, "Please provide an FTP directory URL");
        return TEST_ERR_MAJOR_BAD;
       }

     return test (argv[1]);
   }
Received on 2008-07-07