Re: [issue1891] sftp utility crashes

[YONETANI Tomokazu <qhwt.dfly@xxxxxxxxxx>]

On Wed, Nov 10, 2010 at 05:19:13PM +0000, vasily postnicov (via DragonFly issue tracker) wrote:
> I have something interesting for you. Size of glob_t (type for glob() ) is 88
> (at least on my machine):
				:
> In glob () function it is 88 too, but in process_get() and remote_glob() it is
> 72. How could it be?

Hum, apparently sftp uses the OpenBSD definition of glob_t from
/usr/src/crypto/openssh/openbsd-compat/glob.h, whereas the glob()
in libc uses the one from /usr/include/glob.h.  Unlike OpenBSD,
FreeBSD and Dragonfly use size_t for the first three members.
Since sizeof(size_t)  == sizeof(int) this is not a problem on 32-bit
version of i386 CPUs, but in x86_64 sizeof(size_t) > sizeof(int),
so glob() uses the memory location different from what the caller
intended for function pointers, which led to a crash.  BTW at least
gl_pathc and gl_offs are mentioned to be size_t according to the
following URL (the site may be down at the moment):

  http://www.opengroup.org/onlinepubs/009695399/basedefs/glob.h.html

Can you try replacing the first three members in glob_t from int
to size_t, that is,

/usr/src/crypto/openssh/openbsd-compat/glob.h:
typedef struct {
	int gl_pathc;		/* Count of total paths so far. */
	int gl_matchc;		/* Count of paths matching pattern. */
	int gl_offs;		/* Reserved at beginning of gl_pathv. */


typedef struct {
	size_t gl_pathc;	/* Count of total paths so far. */
	size_t gl_matchc;	/* Count of paths matching pattern. */
	size_t gl_offs;		/* Reserved at beginning of gl_pathv. */

then rebuild sftp and see if that helps?

 
> _____________________________________________________
> DragonFly issue tracker <bugs@lists.dragonflybsd.org>
> <http://bugs.dragonflybsd.org/issue1891>
> _____________________________________________________