bug-inetutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug-inetutils] ftpd: Unhandled fault: alignment exception & buffer over


From: Mike McTernan
Subject: [bug-inetutils] ftpd: Unhandled fault: alignment exception & buffer overrun
Date: Sat, 7 Nov 2009 17:25:14 -0000

Hi,

I'm using inetutils-1.6 and running ftpd on an ARM Cortex A8 processor.
I find I get alignment traps occurring.  I believe it to be the same as
reported here:

  http://www.mail-archive.com/address@hidden/msg01340.html

I'm using CodeSourcery 2008q1 and configuring like this:

  HOST=arm-none-linux-gnueabi
  CFLAGS=-mcpu=cortex-a8 -mthumb
  ./configure --host=$(HOST) --disable-ipv6 --disable-clients
--disable-inetd CFLAGS="$(CFLAGS) -g"


With a core file I traced the problem to the following in libls/fts.c:


  /*
   * The file name is a variable length array and no stat structure is
   * necessary if the user has set the nostat bit.  Allocate the FTSENT
   * structure, the file name and the stat structure in one chunk, but
   * be careful that the stat structure is reasonably aligned.  Since
the
   * fts_name field is declared to be of size 1, the fts_name pointer is
   * namelen + 2 before the first possible address of the stat
structure.
   */
  len = sizeof (FTSENT) + namelen;
  if (!ISSET (FTS_NOSTAT))
    len += sizeof (struct stat);
  if ((p = malloc (len)) == NULL)
    return (NULL);

  /* Copy the name plus the trailing NULL. */
  memmove (p->fts_name, name, namelen + 1);

  if (!ISSET (FTS_NOSTAT))
    p->fts_statp = (struct stat *) (p->fts_name + namelen + 2);
                                    ^^^^^^^^^^^^^^^^^^^^^^^^^

The comment shows alignment has been considered, although the assignment
to p->fts_statp doesn't actually perform alignment.  It also looks like
the stat buffer overruns the allocation since 'len' doesn't account the
+ 2.

Attached is a patch which just performs a second malloc() for the stat
buffer if needed.  This ensures correct alignment.  The free function
also de-allocates the buffer.

Kind Regards,

Mike 

Attachment: arm-alignment.diff
Description: arm-alignment.diff


reply via email to

[Prev in Thread] Current Thread [Next in Thread]