netbsd-bugs: bin/9642: ftpd(8) may forget data connection in passive mode.

Subject: bin/9642: ftpd(8) may forget data connection in passive mode.
To: None <gnats-bugs@gnats.netbsd.org>
From: Takahiro Kambe <taca@sky.yamashina.kyoto.jp>
List: netbsd-bugs
Date: 03/18/2000 17:54:10

>Number:         9642
>Category:       bin
>Synopsis:       ftpd(8) may forget data connection in passive mode.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people (Utility Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Mar 18 17:54:00 2000
>Last-Modified:
>Originator:     Takahiro Kambe
>Organization:
	
>Release:        NetBSD-current 2000/3/16
>Environment:
	
System: NetBSD ns.sky.yamashina.kyoto.jp 1.4U NetBSD 1.4U (NS) #108: Fri Mar 17 14:05:08 JST 2000 taca@ns.sky.yamashina.kyoto.jp:/usr/src/sys/arch/i386/compile/NS i386


>Description:
ftpd(8) may forget data connection under the condition bellow.

o in passive mode.
o There is no file in ftpd(8)'s current directory.
o client sends PASV and NLST.  Use nlist command of ftp(1).

This may cause some DoS attack.  This problem was first reported by
TANAKA Hirosachi <c1995207@uhura.nit.ac.jp>
on freebsd-net-jp@jp.freebsd.org.

>How-To-Repeat:
Try this sequence bellow:

% ftp remote
User: someone
Password: xxxx
ftp> cd /tmp
ftp> mkdir tmp
ftp> cd tmp
ftp> passive
ftp> nlist
229 Entering Extended Passive Mode (|||45675|)
550 No files found.
ftp> nlist
229 Entering Extended Passive Mode (|||45676|)
550 No files found.
ftp>

Then, leave the ftp(1), try the command on server

% netstat -naf inet
Proto Recv-Q Send-Q  Local Address          Foreign Address        State
tcp        0      0  210.235.106.85.45676   210.235.106.86.64628   CLOSE_WAIT
tcp        0      0  210.235.106.85.45676   *.*                    LISTEN
tcp        0      0  210.235.106.85.45675   210.235.106.86.64629   CLOSE_WAIT
tcp        0      0  210.235.106.85.45675   *.*                    LISTEN
...


>Fix:
send_file_list() in ftpd.c forget to close passive port.

Index: ftpd.c
===================================================================
RCS file: /usr/local/libdata/cvs/netbsd/libexec/ftpd/ftpd.c,v
retrieving revision 1.1.1.1.2.16
diff -c -r1.1.1.1.2.16 ftpd.c
*** ftpd.c	2000/03/05 22:44:41	1.1.1.1.2.16
--- ftpd.c	2000/03/18 16:13:30
***************
*** 2588,2593 ****
--- 2588,2597 ----
  	transflag = 0;
  	if (dout != NULL)
  		(void) fclose(dout);
+ 	else {
+ 		if (pdata >= 0)
+ 			(void) close(pdata);
+ 	}
  	data = -1;
  	pdata = -1;
  out:

>Audit-Trail:
>Unformatted: