[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-wget] wget bug report

From: Ildar Isaev
Subject: [Bug-wget] wget bug report
Date: Fri, 14 May 2010 22:48:29 +0400
User-agent: Thunderbird (X11/20090409)

Hi, i downloaded wget-1.12 from ftp://ftp.gnu.org/gnu/wget/wget-1.12.tar.bz2

It turns out it has a null pointer dereference bug. This is how it may be reproduced.

Expl_for_wget.c (attached) is a small pseudo web server. Compile it and run:

address@hidden:$ gcc -Wall expl_for_wget.c -o expl_for_wget
address@hidden:$ ./expl_for_wget &
[1] 7330
address@hidden:$ gdb --args <path_to_wget_install_dir>/bin/wget
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
(gdb) run
[Thread debugging using libthread_db enabled]
--2010-05-14 22:39:36--
Connecting to connected.
HTTP request sent, awaiting response... [New Thread 0x403a26c0 (LWP 7332)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x403a26c0 (LWP 7332)]
0x40286613 in strlen () from /lib/tls/i686/cmov/libc.so.6
(gdb) bt
#0  0x40286613 in strlen () from /lib/tls/i686/cmov/libc.so.6
#1  0x08081a2d in xstrdup (string=0x0) at xmalloc.c:117
#2 0x08063c7d in gethttp (u=0x8a280e8, hs=0xbffa8be0, dt=0xbffa8f24, proxy=0x0, iri=0x8a27d40) at http.c:1832 #3 0x08066151 in http_loop (u=0x8a280e8, newloc=0xbffa8dec, local_file=0xbffa8dd8, referer=0x0, dt=0xbffa8f24, proxy=0x0,
   iri=0x8a27d40) at http.c:2581
#4 0x08072798 in retrieve_url (orig_parsed=0x8a280e8, origurl=0x8a27dd8 "";, file=0xbffa8f2c, newloc=0xbffa8f28, refurl=0x0, dt=0xbffa8f24, recursive=false, iri=0x8a27d40, register_status=true) at retr.c:692
#5  0x0806c46e in main (argc=2, argv=0xbffa9014) at main.c:1294
(gdb) up
#1  0x08081a2d in xstrdup (string=0x0) at xmalloc.c:117
117      return xmemdup (string, strlen (string) + 1);
#2 0x08063c7d in gethttp (u=0x8a280e8, hs=0xbffa8be0, dt=0xbffa8f24, proxy=0x0, iri=0x8a27d40) at http.c:1832
1832      hs->message = xstrdup (message);
(gdb) list
1827      resp = resp_new (head);
1828 1829 /* Check for status line. */
1830      message = NULL;
1831      statcode = resp_status (resp, &message);
1832      hs->message = xstrdup (message);
1833      if (!opt.server_response)
1834        logprintf (LOG_VERBOSE, "%2d %s\n", statcode,
1835 message ? quotearg_style (escape_quoting_style, message) : "");
1836      else
(gdb) p message
$1 = 0x0

One can see that null pointer dereference occurs at http.c:1832 as 'message' is equal to null.

Best regards,
/* Server code in C */
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
int main(void)
  struct sockaddr_in stSockAddr;
  int sfd = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);

  if(sfd == -1)
    perror("can not create socket");
  memset(&stSockAddr, 0, sizeof(struct sockaddr_in));
  stSockAddr.sin_family = AF_INET;
  stSockAddr.sin_port = htons(3500);
  inet_pton(AF_INET, "", &stSockAddr.sin_addr);

  int bindRes = bind(sfd, (const struct sockaddr*)&stSockAddr, sizeof(struct 
  if(bindRes == -1)
    perror("error bind failed");

  int listenRes = listen(sfd, 10);
  if(listenRes == -1)
    perror("error listen failed");
  int cfd = accept(sfd, NULL, NULL);
  char buf[227] = 
  write(cfd, buf, 227);
  return 0;

reply via email to

[Prev in Thread] Current Thread [Next in Thread]