Ubuntu
wput package

Wput ends with buffer overflow when rate-limited

Bug #949689 reported by Ben Coleman
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
wput (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

This started up when I upgraded to Oneiric.

I'm fairly consistently finding that when using wput with --binary and --limit-rate for an ftp upload, the upload ends with a buffer overflow.

A sample recent run (host, username, and password obscured):

oloryn@fornost:~$ wput --binary --limit-rate=5K svnback2012-03-07.zip ftp://user
name:<email address hidden>/svnback2012-03-07.zip
--00:49:50-- `svnback2012-03-07.zip'
    => ftp://bhbackup:xxxxx@97.74.215.114:21/svnback2012-03-07.zip
Connecting to 97.74.215.114:21... connected! encrypted!
Logging in as bhbackup ... Logged in!
Length: 8,092,575
100%[====================================] 8,092,575 5.04K/s
*** buffer overflow detected ***: wput terminated
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x45)[0x34b8d5]
/lib/i386-linux-gnu/libc.so.6(+0xe66d7)[0x34a6d7]
/lib/i386-linux-gnu/libc.so.6(+0xe5d35)[0x349d35]
/lib/i386-linux-gnu/libc.so.6(_IO_default_xsputn+0x91)[0x2cff91]
/lib/i386-linux-gnu/libc.so.6(_IO_vfprintf+0x36e6)[0x2a7816]
/lib/i386-linux-gnu/libc.so.6(__vsprintf_chk+0xc9)[0x349e09]
/lib/i386-linux-gnu/libc.so.6(__sprintf_chk+0x2f)[0x349d1f]
wput[0x8052a96]
wput[0x804dee5]
wput[0x804e588]
wput[0x805608d]
wput[0x804bbf0]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0x27d113]
======= Memory map: ========
00110000-001ba000 r-xp 00000000 08:01 7920 /usr/lib/i386-linux-gnu/libgnutls.so.26.16.14
001ba000-001bb000 ---p 000aa000 08:01 7920 /usr/lib/i386-linux-gnu/libgnutls.so.26.16.14
001bb000-001bf000 r--p 000aa000 08:01 7920 /usr/lib/i386-linux-gnu/libgnutls.so.26.16.14
001bf000-001c0000 rw-p 000ae000 08:01 7920 /usr/lib/i386-linux-gnu/libgnutls.so.26.16.14
001c0000-00242000 r-xp 00000000 08:01 7182 /lib/i386-linux-gnu/libgcrypt.so.11.7.0
00242000-00243000 r--p 00081000 08:01 7182 /lib/i386-linux-gnu/libgcrypt.so.11.7.0
00243000-00245000 rw-p 00082000 08:01 7182 /lib/i386-linux-gnu/libgcrypt.so.11.7.0
00245000-0024a000 r-xp 00000000 08:01 51705 /lib/i386-linux-gnu/libnss_dns-2.13.so
0024a000-0024b000 r--p 00004000 08:01 51705 /lib/i386-linux-gnu/libnss_dns-2.13.so
0024b000-0024c000 rw-p 00005000 08:01 51705 /lib/i386-linux-gnu/libnss_dns-2.13.so
00264000-003da000 r-xp 00000000 08:01 51697 /lib/i386-linux-gnu/libc-2.13.so
003da000-003dc000 r--p 00176000 08:01 51697 /lib/i386-linux-gnu/libc-2.13.so
003dc000-003dd000 rw-p 00178000 08:01 51697 /lib/i386-linux-gnu/libc-2.13.so
003dd000-003e0000 rw-p 00000000 00:00 0
0046d000-0048b000 r-xp 00000000 08:01 51694 /lib/i386-linux-gnu/ld-2.13.so
0048b000-0048c000 r--p 0001d000 08:01 51694 /lib/i386-linux-gnu/ld-2.13.so
0048c000-0048d000 rw-p 0001e000 08:01 51694 /lib/i386-linux-gnu/ld-2.13.so
0057b000-0058b000 r-xp 00000000 08:01 7194 /usr/lib/i386-linux-gnu/libtasn1.so.3.1.11
0058b000-0058c000 r--p 0000f000 08:01 7194 /usr/lib/i386-linux-gnu/libtasn1.so.3.1.11
0058c000-0058d000 rw-p 00010000 08:01 7194 /usr/lib/i386-linux-gnu/libtasn1.so.3.1.11
00831000-00844000 r-xp 00000000 08:01 51712 /lib/i386-linux-gnu/libresolv-2.13.so
00844000-00845000 r--p 00012000 08:01 51712 /lib/i386-linux-gnu/libresolv-2.13.so
00845000-00846000 rw-p 00013000 08:01 51712 /lib/i386-linux-gnu/libresolv-2.13.so
00846000-00848000 rw-p 00000000 00:00 0
008bf000-008db000 r-xp 00000000 08:01 11212 /lib/i386-linux-gnu/libgcc_s.so.1
008db000-008dc000 r--p 0001b000 08:01 11212 /lib/i386-linux-gnu/libgcc_s.so.1
008dc000-008dd000 rw-p 0001c000 08:01 11212 /lib/i386-linux-gnu/libgcc_s.so.1
00c95000-00c9e000 r-xp 00000000 08:01 7923 /usr/lib/i386-linux-gnu/libgnutls-openssl.so.26.16.14
00c9e000-00c9f000 r--p 00008000 08:01 7923 /usr/lib/i386-linux-gnu/libgnutls-openssl.so.26.16.14
00c9f000-00ca0000 rw-p 00009000 08:01 7923 /usr/lib/i386-linux-gnu/libgnutls-openssl.so.26.16.14
00ddf000-00dea000 r-xp 00000000 08:01 51706 /lib/i386-linux-gnu/libnss_files-2.13.so
00dea000-00deb000 r--p 0000a000 08:01 51706 /lib/i386-linux-gnu/libnss_files-2.13.so
00deb000-00dec000 rw-p 0000b000 08:01 51706 /lib/i386-linux-gnu/libnss_files-2.13.so
00e0a000-00e0b000 r-xp 00000000 00:00 0 [vdso]
00e10000-00e13000 r-xp 00000000 08:01 7174 /lib/i386-linux-gnu/libgpg-error.so.0.8.0
00e13000-00e14000 r--p 00002000 08:01 7174 /lib/i386-linux-gnu/libgpg-error.so.0.8.0
00e14000-00e15000 rw-p 00003000 08:01 7174 /lib/i386-linux-gnu/libgpg-error.so.0.8.0
00ea8000-00ebb000 r-xp 00000000 08:01 23393 /lib/i386-linux-gnu/libz.so.1.2.3.4
00ebb000-00ebc000 r--p 00012000 08:01 23393 /lib/i386-linux-gnu/libz.so.1.2.3.4
00ebc000-00ebd000 rw-p 00013000 08:01 23393 /lib/i386-linux-gnu/libz.so.1.2.3.4

08048000-0805c000 r-xp 00000000 08:01 2247 /usr/bin/wput
0805c000-0805d000 r--p 00013000 08:01 2247 /usr/bin/wput
0805d000-0805e000 rw-p 00014000 08:01 2247 /usr/bin/wput
085f7000-08618000 rw-p 00000000 00:00 0 [heap]
b75c1000-b77c1000 r--p 00000000 08:01 1237 /usr/lib/locale/locale-archive
b77c1000-b77c4000 rw-p 00000000 00:00 0
b77c8000-b77c9000 rw-p 00000000 00:00 0
b77c9000-b77ca000 r--p 002a1000 08:01 1237 /usr/lib/locale/locale-archive
b77ca000-b77cb000 rw-p 00000000 00:00 0
bff7b000-bff9c000 rw-p 00000000 00:00 0 [stack]
Aborted

This may require a certain size of file being transferred to trigger it, and I'm not sure if --binary or --limit-rate is what triggers it. If I get time, I'll try to test that.

I use this for backups out of a ADSL line. Being able to rate-limit keeps the DSL line from being clogged.

Tags: patch
Revision history for this message
Rumpeltux (rumpeltux) wrote :

I tried with your params, but can't reproduce it.
You may try to get a backtrace (https://wiki.ubuntu.com/Backtrace) or run with --memory-debug (see doc/INSTALL) to further track down the problem.

Revision history for this message
Fran Diéguez (frandieguez) wrote :
Download full text (4.7 KiB)

Hi all,

I got the same buffer overflow.

These are my specs:

kernel: Linux 3.2.13-grsec-xxxx-grs-ipv6-64 #1 SMP Thu Mar 29 09:48:59 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
(Server in Ovh)
Cpu: 8cores Intel(R) Xeon(R) CPU W3530 @ 2.80GHz
RAM: 24GB

$ more /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=12.04
DISTRIB_CODENAME=precise
DISTRIB_DESCRIPTION="Ubuntu 12.04 LTS"

$ apt-cache show wput
Package: wput
Section: universe/web
Architecture: amd64
Version: 0.6.2-2build1

Here is the backtrace:
*** buffer overflow detected ***: wput terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7fe7f9899007]
/lib/x86_64-linux-gnu/libc.so.6(+0x107f00)[0x7fe7f9897f00]
/lib/x86_64-linux-gnu/libc.so.6(+0x107369)[0x7fe7f9897369]
/lib/x86_64-linux-gnu/libc.so.6(_IO_default_xsputn+0xdd)[0x7fe7f980bbcd]
/lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0x98d)[0x7fe7f97d800d]
/lib/x86_64-linux-gnu/libc.so.6(__vsprintf_chk+0x94)[0x7fe7f9897404]
/lib/x86_64-linux-gnu/libc.so.6(__sprintf_chk+0x7d)[0x7fe7f989734d]
wput[0x409e68]
wput[0x40a296]
wput[0x4052c2]
wput[0x405cb8]
wput[0x40cc1f]
wput[0x402280]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed)[0x7fe7f97b176d]
wput[0x402781]
======= Memory map: ========
00400000-00415000 r-xp 00000000 08:01 3546159 /usr/bin/wput
00614000-00615000 r--p 00014000 08:01 3546159 /usr/bin/wput
00615000-00616000 rw-p 00015000 08:01 3546159 /usr/bin/wput
00616000-00637000 rw-p 00000000 00:00 0 [heap]
7fe7f8c13000-7fe7f8c28000 r-xp 00000000 08:01 5243889 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fe7f8c28000-7fe7f8e27000 ---p 00015000 08:01 5243889 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fe7f8e27000-7fe7f8e28000 r--p 00014000 08:01 5243889 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fe7f8e28000-7fe7f8e29000 rw-p 00015000 08:01 5243889 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fe7f8e29000-7fe7f8e41000 r-xp 00000000 08:01 5243921 /lib/x86_64-linux-gnu/libresolv-2.15.so
7fe7f8e41000-7fe7f9041000 ---p 00018000 08:01 5243921 /lib/x86_64-linux-gnu/libresolv-2.15.so
7fe7f9041000-7fe7f9042000 r--p 00018000 08:01 5243921 /lib/x86_64-linux-gnu/libresolv-2.15.so
7fe7f9042000-7fe7f9043000 rw-p 00019000 08:01 5243921 /lib/x86_64-linux-gnu/libresolv-2.15.so
7fe7f9043000-7fe7f9045000 rw-p 00000000 00:00 0
7fe7f9045000-7fe7f904c000 r-xp 00000000 08:01 5243904 /lib/x86_64-linux-gnu/libnss_dns-2.15.so
7fe7f904c000-7fe7f924b000 ---p 00007000 08:01 5243904 /lib/x86_64-linux-gnu/libnss_dns-2.15.so
7fe7f924b000-7fe7f924c000 r--p 00006000 08:01 5243904 /lib/x86_64-linux-gnu/libnss_dns-2.15.so
7fe7f924c000-7fe7f924d000 rw-p 00007000 08:01 5243904 /lib/x86_64-linux-gnu/libnss_dns-2.15.so
7fe7f924d000-7fe7f9259000 r-xp 00000000 08:01 5243905 /lib/x86_64-linux-gnu/libnss_files-2.15.so
7fe7f9259000-7fe7f9458000 ---p 0000c000 08:01 5243905 /lib/x86_64-linux-gnu...

Read more...

Revision history for this message
Rumpeltux (rumpeltux) wrote :

I still need a backtrace, probably a valgrind run would be better. --memory-debug also. Also see BUGS section in the manpage.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in wput (Ubuntu):
status: New → Confirmed
Revision history for this message
lincvz (cvuillemez) wrote :
Download full text (4.4 KiB)

Hello,
I have regularly the same issue on a production environment.
The command used is wput -R -v -t 3 ftp://<server>/<dir> -i <list_file>.
I have no .wputrc file.
Whenever the job fails, it generally run with success on next execution (with the same file - same size - ).

# wput --version
wput version: 0.6.2

See below the BT :

*** buffer overflow detected ***: wput terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x7338f)[0x7f9265e5f38f]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7f9265ef6c9c]
/lib/x86_64-linux-gnu/libc.so.6(+0x109b60)[0x7f9265ef5b60]
/lib/x86_64-linux-gnu/libc.so.6(+0x109069)[0x7f9265ef5069]
/lib/x86_64-linux-gnu/libc.so.6(_IO_default_xsputn+0xbc)[0x7f9265e6770c]
/lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0x1cd5)[0x7f9265e379c5]
/lib/x86_64-linux-gnu/libc.so.6(__vsprintf_chk+0x84)[0x7f9265ef50f4]
/lib/x86_64-linux-gnu/libc.so.6(__sprintf_chk+0x7d)[0x7f9265ef504d]
wput(+0xacfe)[0x7f92663e0cfe]
wput(+0xb577)[0x7f92663e1577]
wput(+0x613f)[0x7f92663dc13f]
wput(+0x6c16)[0x7f92663dcc16]
wput(+0xddec)[0x7f92663e3dec]
wput(+0x2fc5)[0x7f92663d8fc5]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7f9265e0dec5]
wput(+0x349f)[0x7f92663d949f]
======= Memory map: ========
7f92655a9000-7f92655bf000 r-xp 00000000 08:03 988 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f92655bf000-7f92657be000 ---p 00016000 08:03 988 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f92657be000-7f92657bf000 rw-p 00015000 08:03 988 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f92657bf000-7f92657d6000 r-xp 00000000 08:03 59 /lib/x86_64-linux-gnu/libresolv-2.19.so
7f92657d6000-7f92659d6000 ---p 00017000 08:03 59 /lib/x86_64-linux-gnu/libresolv-2.19.so
7f92659d6000-7f92659d7000 r--p 00017000 08:03 59 /lib/x86_64-linux-gnu/libresolv-2.19.so
7f92659d7000-7f92659d8000 rw-p 00018000 08:03 59 /lib/x86_64-linux-gnu/libresolv-2.19.so
7f92659d8000-7f92659da000 rw-p 00000000 00:00 0
7f92659da000-7f92659df000 r-xp 00000000 08:03 69 /lib/x86_64-linux-gnu/libnss_dns-2.19.so
7f92659df000-7f9265bde000 ---p 00005000 08:03 69 /lib/x86_64-linux-gnu/libnss_dns-2.19.so
7f9265bde000-7f9265bdf000 r--p 00004000 08:03 69 /lib/x86_64-linux-gnu/libnss_dns-2.19.so
7f9265bdf000-7f9265be0000 rw-p 00005000 08:03 69 /lib/x86_64-linux-gnu/libnss_dns-2.19.so
7f9265be0000-7f9265beb000 r-xp 00000000 08:03 63 /lib/x86_64-linux-gnu/libnss_files-2.19.so
7f9265beb000-7f9265dea000 ---p 0000b000 08:03 63 /lib/x86_64-linux-gnu/libnss_files-2.19.so
7f9265dea000-7f9265deb000 r--p 0000a000 08:03 63 /lib/x86_64-linux-gnu/libnss_files-2.19.so
7f9265deb000-7f9265dec000 rw-p 0000b000 08:03 63 /lib/x86_64-linux-gnu/libnss_files-2.19.so
7f9265dec000-7f9265fa7000 r-xp 00000000 08:03 109 /lib/x86_64-linux-gnu/libc-2.19.so
7f9265fa7000-7f92661a6000 ---p 001bb000 08:03 109 /lib/x86_64-linux-gnu/li...

Read more...

Revision history for this message
lincvz (cvuillemez) wrote :

I precise aboutr my previous comment I'm running wput on Trusty :

# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.1 LTS
Release: 14.04
Codename: trusty

Revision history for this message
lincvz (cvuillemez) wrote :

It 's seems overflow occur from one of the "sprintf" lines in progress.c, cause my log stopped like this :

--11:20:12-- `file01.log.gz'
    => ftp://translog:xxxxx@XXXXXXXXX:21//file01.log.gz
==> SIZE file01.log.gz ... failed.
==> PASV ... done.
==> STOR file01.log.gz ... done.
Length: 68,786,837
    0K ....

Revision history for this message
Oldřich Jedlička (oldium) wrote :

This patch should fix the issue. To try it, you can do the following:

apt-get build-dep wput
apt-get source wput
cd wput-<something>
*** now copy wput-fix-crash.patch to current dir (i.e. wput-<something>)
patch -p1 < ./wput-fix-crash.patch
./configure
make

and you should have a working wput in the current working directory.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "Fix of the crash" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package wput - 0.6.2+git20130413-4

---------------
wput (0.6.2+git20130413-4) unstable; urgency=medium

  * Switch to https: VCS URIs (see #810378).
  * Add patch to avoid overrunning buffers, thanks to Oldřich Jedlička.
    (LP: #949689 and hopefully Closes: #733304).
  * Clean up debian/control using cme.
  * Standards-Version 3.9.8, no change required.
  * Add more spelling fixes.

 -- Stephen Kitt <email address hidden> Mon, 12 Dec 2016 21:57:19 +0100

Changed in wput (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.