Wput ends with buffer overflow when rate-limited

Bug #949689 reported by Ben Coleman on 2012-03-08
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
wput (Ubuntu)
Undecided
Unassigned

Bug Description

This started up when I upgraded to Oneiric.

I'm fairly consistently finding that when using wput with --binary and --limit-rate for an ftp upload, the upload ends with a buffer overflow.

A sample recent run (host, username, and password obscured):

oloryn@fornost:~$ wput --binary --limit-rate=5K svnback2012-03-07.zip ftp://user
name:<email address hidden>/svnback2012-03-07.zip
--00:49:50-- `svnback2012-03-07.zip'
    => ftp://bhbackup:xxxxx@97.74.215.114:21/svnback2012-03-07.zip
Connecting to 97.74.215.114:21... connected! encrypted!
Logging in as bhbackup ... Logged in!
Length: 8,092,575
100%[====================================] 8,092,575 5.04K/s
*** buffer overflow detected ***: wput terminated
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x45)[0x34b8d5]
/lib/i386-linux-gnu/libc.so.6(+0xe66d7)[0x34a6d7]
/lib/i386-linux-gnu/libc.so.6(+0xe5d35)[0x349d35]
/lib/i386-linux-gnu/libc.so.6(_IO_default_xsputn+0x91)[0x2cff91]
/lib/i386-linux-gnu/libc.so.6(_IO_vfprintf+0x36e6)[0x2a7816]
/lib/i386-linux-gnu/libc.so.6(__vsprintf_chk+0xc9)[0x349e09]
/lib/i386-linux-gnu/libc.so.6(__sprintf_chk+0x2f)[0x349d1f]
wput[0x8052a96]
wput[0x804dee5]
wput[0x804e588]
wput[0x805608d]
wput[0x804bbf0]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0x27d113]
======= Memory map: ========
00110000-001ba000 r-xp 00000000 08:01 7920 /usr/lib/i386-linux-gnu/libgnutls.so.26.16.14
001ba000-001bb000 ---p 000aa000 08:01 7920 /usr/lib/i386-linux-gnu/libgnutls.so.26.16.14
001bb000-001bf000 r--p 000aa000 08:01 7920 /usr/lib/i386-linux-gnu/libgnutls.so.26.16.14
001bf000-001c0000 rw-p 000ae000 08:01 7920 /usr/lib/i386-linux-gnu/libgnutls.so.26.16.14
001c0000-00242000 r-xp 00000000 08:01 7182 /lib/i386-linux-gnu/libgcrypt.so.11.7.0
00242000-00243000 r--p 00081000 08:01 7182 /lib/i386-linux-gnu/libgcrypt.so.11.7.0
00243000-00245000 rw-p 00082000 08:01 7182 /lib/i386-linux-gnu/libgcrypt.so.11.7.0
00245000-0024a000 r-xp 00000000 08:01 51705 /lib/i386-linux-gnu/libnss_dns-2.13.so
0024a000-0024b000 r--p 00004000 08:01 51705 /lib/i386-linux-gnu/libnss_dns-2.13.so
0024b000-0024c000 rw-p 00005000 08:01 51705 /lib/i386-linux-gnu/libnss_dns-2.13.so
00264000-003da000 r-xp 00000000 08:01 51697 /lib/i386-linux-gnu/libc-2.13.so
003da000-003dc000 r--p 00176000 08:01 51697 /lib/i386-linux-gnu/libc-2.13.so
003dc000-003dd000 rw-p 00178000 08:01 51697 /lib/i386-linux-gnu/libc-2.13.so
003dd000-003e0000 rw-p 00000000 00:00 0
0046d000-0048b000 r-xp 00000000 08:01 51694 /lib/i386-linux-gnu/ld-2.13.so
0048b000-0048c000 r--p 0001d000 08:01 51694 /lib/i386-linux-gnu/ld-2.13.so
0048c000-0048d000 rw-p 0001e000 08:01 51694 /lib/i386-linux-gnu/ld-2.13.so
0057b000-0058b000 r-xp 00000000 08:01 7194 /usr/lib/i386-linux-gnu/libtasn1.so.3.1.11
0058b000-0058c000 r--p 0000f000 08:01 7194 /usr/lib/i386-linux-gnu/libtasn1.so.3.1.11
0058c000-0058d000 rw-p 00010000 08:01 7194 /usr/lib/i386-linux-gnu/libtasn1.so.3.1.11
00831000-00844000 r-xp 00000000 08:01 51712 /lib/i386-linux-gnu/libresolv-2.13.so
00844000-00845000 r--p 00012000 08:01 51712 /lib/i386-linux-gnu/libresolv-2.13.so
00845000-00846000 rw-p 00013000 08:01 51712 /lib/i386-linux-gnu/libresolv-2.13.so
00846000-00848000 rw-p 00000000 00:00 0
008bf000-008db000 r-xp 00000000 08:01 11212 /lib/i386-linux-gnu/libgcc_s.so.1
008db000-008dc000 r--p 0001b000 08:01 11212 /lib/i386-linux-gnu/libgcc_s.so.1
008dc000-008dd000 rw-p 0001c000 08:01 11212 /lib/i386-linux-gnu/libgcc_s.so.1
00c95000-00c9e000 r-xp 00000000 08:01 7923 /usr/lib/i386-linux-gnu/libgnutls-openssl.so.26.16.14
00c9e000-00c9f000 r--p 00008000 08:01 7923 /usr/lib/i386-linux-gnu/libgnutls-openssl.so.26.16.14
00c9f000-00ca0000 rw-p 00009000 08:01 7923 /usr/lib/i386-linux-gnu/libgnutls-openssl.so.26.16.14
00ddf000-00dea000 r-xp 00000000 08:01 51706 /lib/i386-linux-gnu/libnss_files-2.13.so
00dea000-00deb000 r--p 0000a000 08:01 51706 /lib/i386-linux-gnu/libnss_files-2.13.so
00deb000-00dec000 rw-p 0000b000 08:01 51706 /lib/i386-linux-gnu/libnss_files-2.13.so
00e0a000-00e0b000 r-xp 00000000 00:00 0 [vdso]
00e10000-00e13000 r-xp 00000000 08:01 7174 /lib/i386-linux-gnu/libgpg-error.so.0.8.0
00e13000-00e14000 r--p 00002000 08:01 7174 /lib/i386-linux-gnu/libgpg-error.so.0.8.0
00e14000-00e15000 rw-p 00003000 08:01 7174 /lib/i386-linux-gnu/libgpg-error.so.0.8.0
00ea8000-00ebb000 r-xp 00000000 08:01 23393 /lib/i386-linux-gnu/libz.so.1.2.3.4
00ebb000-00ebc000 r--p 00012000 08:01 23393 /lib/i386-linux-gnu/libz.so.1.2.3.4
00ebc000-00ebd000 rw-p 00013000 08:01 23393 /lib/i386-linux-gnu/libz.so.1.2.3.4

08048000-0805c000 r-xp 00000000 08:01 2247 /usr/bin/wput
0805c000-0805d000 r--p 00013000 08:01 2247 /usr/bin/wput
0805d000-0805e000 rw-p 00014000 08:01 2247 /usr/bin/wput
085f7000-08618000 rw-p 00000000 00:00 0 [heap]
b75c1000-b77c1000 r--p 00000000 08:01 1237 /usr/lib/locale/locale-archive
b77c1000-b77c4000 rw-p 00000000 00:00 0
b77c8000-b77c9000 rw-p 00000000 00:00 0
b77c9000-b77ca000 r--p 002a1000 08:01 1237 /usr/lib/locale/locale-archive
b77ca000-b77cb000 rw-p 00000000 00:00 0
bff7b000-bff9c000 rw-p 00000000 00:00 0 [stack]
Aborted

This may require a certain size of file being transferred to trigger it, and I'm not sure if --binary or --limit-rate is what triggers it. If I get time, I'll try to test that.

I use this for backups out of a ADSL line. Being able to rate-limit keeps the DSL line from being clogged.

Rumpeltux (rumpeltux) wrote :

I tried with your params, but can't reproduce it.
You may try to get a backtrace (https://wiki.ubuntu.com/Backtrace) or run with --memory-debug (see doc/INSTALL) to further track down the problem.

Fran Diéguez (frandieguez) wrote :
Download full text (4.7 KiB)

Hi all,

I got the same buffer overflow.

These are my specs:

kernel: Linux 3.2.13-grsec-xxxx-grs-ipv6-64 #1 SMP Thu Mar 29 09:48:59 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
(Server in Ovh)
Cpu: 8cores Intel(R) Xeon(R) CPU W3530 @ 2.80GHz
RAM: 24GB

$ more /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=12.04
DISTRIB_CODENAME=precise
DISTRIB_DESCRIPTION="Ubuntu 12.04 LTS"

$ apt-cache show wput
Package: wput
Section: universe/web
Architecture: amd64
Version: 0.6.2-2build1

Here is the backtrace:
*** buffer overflow detected ***: wput terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7fe7f9899007]
/lib/x86_64-linux-gnu/libc.so.6(+0x107f00)[0x7fe7f9897f00]
/lib/x86_64-linux-gnu/libc.so.6(+0x107369)[0x7fe7f9897369]
/lib/x86_64-linux-gnu/libc.so.6(_IO_default_xsputn+0xdd)[0x7fe7f980bbcd]
/lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0x98d)[0x7fe7f97d800d]
/lib/x86_64-linux-gnu/libc.so.6(__vsprintf_chk+0x94)[0x7fe7f9897404]
/lib/x86_64-linux-gnu/libc.so.6(__sprintf_chk+0x7d)[0x7fe7f989734d]
wput[0x409e68]
wput[0x40a296]
wput[0x4052c2]
wput[0x405cb8]
wput[0x40cc1f]
wput[0x402280]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed)[0x7fe7f97b176d]
wput[0x402781]
======= Memory map: ========
00400000-00415000 r-xp 00000000 08:01 3546159 /usr/bin/wput
00614000-00615000 r--p 00014000 08:01 3546159 /usr/bin/wput
00615000-00616000 rw-p 00015000 08:01 3546159 /usr/bin/wput
00616000-00637000 rw-p 00000000 00:00 0 [heap]
7fe7f8c13000-7fe7f8c28000 r-xp 00000000 08:01 5243889 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fe7f8c28000-7fe7f8e27000 ---p 00015000 08:01 5243889 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fe7f8e27000-7fe7f8e28000 r--p 00014000 08:01 5243889 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fe7f8e28000-7fe7f8e29000 rw-p 00015000 08:01 5243889 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fe7f8e29000-7fe7f8e41000 r-xp 00000000 08:01 5243921 /lib/x86_64-linux-gnu/libresolv-2.15.so
7fe7f8e41000-7fe7f9041000 ---p 00018000 08:01 5243921 /lib/x86_64-linux-gnu/libresolv-2.15.so
7fe7f9041000-7fe7f9042000 r--p 00018000 08:01 5243921 /lib/x86_64-linux-gnu/libresolv-2.15.so
7fe7f9042000-7fe7f9043000 rw-p 00019000 08:01 5243921 /lib/x86_64-linux-gnu/libresolv-2.15.so
7fe7f9043000-7fe7f9045000 rw-p 00000000 00:00 0
7fe7f9045000-7fe7f904c000 r-xp 00000000 08:01 5243904 /lib/x86_64-linux-gnu/libnss_dns-2.15.so
7fe7f904c000-7fe7f924b000 ---p 00007000 08:01 5243904 /lib/x86_64-linux-gnu/libnss_dns-2.15.so
7fe7f924b000-7fe7f924c000 r--p 00006000 08:01 5243904 /lib/x86_64-linux-gnu/libnss_dns-2.15.so
7fe7f924c000-7fe7f924d000 rw-p 00007000 08:01 5243904 /lib/x86_64-linux-gnu/libnss_dns-2.15.so
7fe7f924d000-7fe7f9259000 r-xp 00000000 08:01 5243905 /lib/x86_64-linux-gnu/libnss_files-2.15.so
7fe7f9259000-7fe7f9458000 ---p 0000c000 08:01 5243905 /lib/x86_64-linux-gnu...

Read more...

Rumpeltux (rumpeltux) wrote :

I still need a backtrace, probably a valgrind run would be better. --memory-debug also. Also see BUGS section in the manpage.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in wput (Ubuntu):
status: New → Confirmed
lincvz (cvuillemez) wrote :
Download full text (4.4 KiB)

Hello,
I have regularly the same issue on a production environment.
The command used is wput -R -v -t 3 ftp://<server>/<dir> -i <list_file>.
I have no .wputrc file.
Whenever the job fails, it generally run with success on next execution (with the same file - same size - ).

# wput --version
wput version: 0.6.2

See below the BT :

*** buffer overflow detected ***: wput terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x7338f)[0x7f9265e5f38f]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7f9265ef6c9c]
/lib/x86_64-linux-gnu/libc.so.6(+0x109b60)[0x7f9265ef5b60]
/lib/x86_64-linux-gnu/libc.so.6(+0x109069)[0x7f9265ef5069]
/lib/x86_64-linux-gnu/libc.so.6(_IO_default_xsputn+0xbc)[0x7f9265e6770c]
/lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0x1cd5)[0x7f9265e379c5]
/lib/x86_64-linux-gnu/libc.so.6(__vsprintf_chk+0x84)[0x7f9265ef50f4]
/lib/x86_64-linux-gnu/libc.so.6(__sprintf_chk+0x7d)[0x7f9265ef504d]
wput(+0xacfe)[0x7f92663e0cfe]
wput(+0xb577)[0x7f92663e1577]
wput(+0x613f)[0x7f92663dc13f]
wput(+0x6c16)[0x7f92663dcc16]
wput(+0xddec)[0x7f92663e3dec]
wput(+0x2fc5)[0x7f92663d8fc5]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7f9265e0dec5]
wput(+0x349f)[0x7f92663d949f]
======= Memory map: ========
7f92655a9000-7f92655bf000 r-xp 00000000 08:03 988 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f92655bf000-7f92657be000 ---p 00016000 08:03 988 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f92657be000-7f92657bf000 rw-p 00015000 08:03 988 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f92657bf000-7f92657d6000 r-xp 00000000 08:03 59 /lib/x86_64-linux-gnu/libresolv-2.19.so
7f92657d6000-7f92659d6000 ---p 00017000 08:03 59 /lib/x86_64-linux-gnu/libresolv-2.19.so
7f92659d6000-7f92659d7000 r--p 00017000 08:03 59 /lib/x86_64-linux-gnu/libresolv-2.19.so
7f92659d7000-7f92659d8000 rw-p 00018000 08:03 59 /lib/x86_64-linux-gnu/libresolv-2.19.so
7f92659d8000-7f92659da000 rw-p 00000000 00:00 0
7f92659da000-7f92659df000 r-xp 00000000 08:03 69 /lib/x86_64-linux-gnu/libnss_dns-2.19.so
7f92659df000-7f9265bde000 ---p 00005000 08:03 69 /lib/x86_64-linux-gnu/libnss_dns-2.19.so
7f9265bde000-7f9265bdf000 r--p 00004000 08:03 69 /lib/x86_64-linux-gnu/libnss_dns-2.19.so
7f9265bdf000-7f9265be0000 rw-p 00005000 08:03 69 /lib/x86_64-linux-gnu/libnss_dns-2.19.so
7f9265be0000-7f9265beb000 r-xp 00000000 08:03 63 /lib/x86_64-linux-gnu/libnss_files-2.19.so
7f9265beb000-7f9265dea000 ---p 0000b000 08:03 63 /lib/x86_64-linux-gnu/libnss_files-2.19.so
7f9265dea000-7f9265deb000 r--p 0000a000 08:03 63 /lib/x86_64-linux-gnu/libnss_files-2.19.so
7f9265deb000-7f9265dec000 rw-p 0000b000 08:03 63 /lib/x86_64-linux-gnu/libnss_files-2.19.so
7f9265dec000-7f9265fa7000 r-xp 00000000 08:03 109 /lib/x86_64-linux-gnu/libc-2.19.so
7f9265fa7000-7f92661a6000 ---p 001bb000 08:03 109 /lib/x86_64-linux-gnu/li...

Read more...

lincvz (cvuillemez) wrote :

I precise aboutr my previous comment I'm running wput on Trusty :

# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.1 LTS
Release: 14.04
Codename: trusty

lincvz (cvuillemez) wrote :

It 's seems overflow occur from one of the "sprintf" lines in progress.c, cause my log stopped like this :

--11:20:12-- `file01.log.gz'
    => ftp://translog:xxxxx@XXXXXXXXX:21//file01.log.gz
==> SIZE file01.log.gz ... failed.
==> PASV ... done.
==> STOR file01.log.gz ... done.
Length: 68,786,837
    0K ....

Oldřich Jedlička (oldium-pro) wrote :

This patch should fix the issue. To try it, you can do the following:

apt-get build-dep wput
apt-get source wput
cd wput-<something>
*** now copy wput-fix-crash.patch to current dir (i.e. wput-<something>)
patch -p1 < ./wput-fix-crash.patch
./configure
make

and you should have a working wput in the current working directory.

The attachment "Fix of the crash" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package wput - 0.6.2+git20130413-4

---------------
wput (0.6.2+git20130413-4) unstable; urgency=medium

  * Switch to https: VCS URIs (see #810378).
  * Add patch to avoid overrunning buffers, thanks to Oldřich Jedlička.
    (LP: #949689 and hopefully Closes: #733304).
  * Clean up debian/control using cme.
  * Standards-Version 3.9.8, no change required.
  * Add more spelling fixes.

 -- Stephen Kitt <email address hidden> Mon, 12 Dec 2016 21:57:19 +0100

Changed in wput (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers