Ticket #3176 (closed defect: fixed)

Opened 11 years ago

Last modified 11 years ago

Segfault in sftpfs VFS when trying to view a file

Reported by: vahur Owned by: andrew_b
Priority: major Milestone: 4.8.12
Component: mc-vfs Version: master
Keywords: Cc:
Blocked By: Blocking:
Branch state: merged Votes for changeset: andrew_b

Description

MC terminates with a segfault when user tries to view a file (with F3) on a remote server via SFTPFS. This is caused by using data from already free()-d memory in /src/vfs/sftpfs/file.c. sftpfs_lseek() accesses a memory block, which is previously deallocated by sftpfs_reopen().

Here's the patch:

diff --git a/src/vfs/sftpfs/file.c b/src/vfs/sftpfs/file.c
index c7a4eb9..f757109 100644
--- a/src/vfs/sftpfs/file.c
+++ b/src/vfs/sftpfs/file.c
@@ -60,12 +60,17 @@ static void
 sftpfs_reopen (vfs_file_handler_t * file_handler, GError ** error)
 {
     sftpfs_file_handler_data_t *file_handler_data;
+    int flags;
+    mode_t mode;
 
     file_handler_data = (sftpfs_file_handler_data_t *) file_handler->data;
+    flags = file_handler_data->flags;
+    mode = file_handler_data->mode;
 
     sftpfs_close_file (file_handler, error);
-    if (error == NULL || *error == NULL)
-        sftpfs_open_file (file_handler, file_handler_data->flags, file_handler_data->mode, error);
+    if (error == NULL || *error == NULL) {
+        sftpfs_open_file (file_handler, flags, mode, error);
+    }
 }
 
 /* --------------------------------------------------------------------------------------------- */
@@ -361,8 +366,6 @@ sftpfs_lseek (vfs_file_handler_t * file_handler, off_t offset, int whence, GErro
 {
     sftpfs_file_handler_data_t *file_handler_data;
 
-    file_handler_data = (sftpfs_file_handler_data_t *) file_handler->data;
-
     switch (whence)
     {
     case SEEK_SET:
@@ -392,6 +395,8 @@ sftpfs_lseek (vfs_file_handler_t * file_handler, off_t offset, int whence, GErro
         break;
     }
 
+    file_handler_data = (sftpfs_file_handler_data_t *) file_handler->data;
+
     libssh2_sftp_seek64 (file_handler_data->handle, file_handler->pos);
     file_handler->pos = (off_t) libssh2_sftp_tell64 (file_handler_data->handle);

Output of mc -V:

GNU Midnight Commander 4.8.11-77-g9bbc510
Built with GLib 2.38.2
Using the ncurses library
With builtin Editor
With subshell support as default
With support for background operations
With mouse support on xterm
With multiple codepages support
Virtual File Systems: cpiofs, tarfs, sfs, extfs, ftpfs, sftpfs, fish
Data types: char: 8; int: 32; long: 64; void *: 64; size_t: 64; off_t: 64;

Change History

comment:1 Changed 11 years ago by vahur

  • Component changed from mc-core to mc-vfs

comment:2 Changed 11 years ago by andrew_b

  • Owner set to andrew_b
  • Status changed from new to accepted
  • Branch state changed from no branch to on review
  • Milestone changed from Future Releases to 4.8.12

Applied. Thanks!

Branch: 3176_sftpfs_view_file_segfault
changeset:1e89bc2d6e39fae2ba6a371758420b50bf7c0b00

comment:3 Changed 11 years ago by andrew_b

  • Status changed from accepted to testing
  • Votes for changeset set to andrew_b
  • Resolution set to fixed
  • Branch state changed from on review to merged

Merged to master: [cd44dc59386634298b9066c72bef0bca71afa1c4].

comment:4 Changed 11 years ago by andrew_b

  • Status changed from testing to closed
Note: See TracTickets for help on using tickets.