>Number:         9591
>Category:       bin
>Synopsis:       ftp/util.c free()'s static and stack values.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people (Utility Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Mar  9 14:20:59 2000
>Last-Modified:
>Originator:     Bernd Salbrechter
>Organization:
	Private
>Release:        NetBSD-1.4.1
>Environment:
System: NetBSD schleppo.sun.universe 1.4.1 NetBSD 1.4.1 (SCHLEPPO) #1: Fri Feb 4 20:36:41 CET 2000 salb@schleppo.sun.universe:/products/NetBSD/usr/src/sys/arch/i386/compile/SCHLEPPO i386


>Description:
	When ftp promtes for the user and the password, it free()'s
	a stack value and the static buffer of getpass().

   This cause ftp to core dump on Linux.

>How-To-Repeat:
   Look at the source of /usr/src/usr.bin/ftp/util.c between line
   314 and 350.

>Fix:
--- /home/salb/prs/util.c.orig	Thu Mar  9 22:23:18 2000
+++ /home/salb/prs/util.c	Thu Mar  9 22:26:12 2000
@@ -314,8 +314,10 @@
 		tmp[strlen(tmp) - 1] = '\0';
 		if (*tmp == '\0')
 			user = myname;
-		else
+		else {
 			user = tmp;
+			freeuser = 0;  /* Don't free a stack vaule!. */
+		}
 	}
 
 	if (gatemode) {
@@ -331,8 +333,10 @@
 
 	n = command("USER %s", user);
 	if (n == CONTINUE) {
-		if (pass == NULL)
+		if (pass == NULL) {
 			pass = getpass("Password:");
+			freepass = 0;  /* getpass() returna a pointer to a staic buffer!. */
+		}
 		n = command("PASS %s", pass);
 	}
 	if (n == CONTINUE) {
>Audit-Trail:
>Unformatted: