tests: Check for ftp crashes with "nmap" command

* tests/Makefile.am (EXTRA_DIST): Add new binary fuzzer found input. * tests/crash-ftp-msg2021-12_04.bin: New file. Input found via fuzzer that crashes ftp via NULL pointer dereference. Reported by AiDai in <https://lists.gnu.org/archive/html/bug-inetutils/2021-12/msg00004.html>. * tests/ftp-parser.sh: Add currently failing tests with a tab between arguments to the "nmap" command. * tests/ftp-regressions.sh: Add currently failing check for regression of upcoming fix for bug reported by AiDai.
2026-01-12 00:19:39 +08:00 · 2022-10-01 17:49:13 +02:00
parent d7ffbeb134
commit 5019909b84
4 changed files with 37 additions and 1 deletions
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -21,7 +21,8 @@ AM_CPPFLAGS = $(iu_INCLUDES)
 LDADD = $(iu_LIBRARIES)

 EXTRA_DIST = tools.sh.in ifconfig_modes.sh crash-tftp-msg2021-12_18.bin \
-	crash-ftp-msg2021-12_03.bin crash-ftp-msg2021-12_16.bin
+	crash-ftp-msg2021-12_03.bin crash-ftp-msg2021-12_16.bin \
+	crash-ftp-msg2021-12_04.bin

 noinst_PROGRAMS = identify
 identify_LDADD = $(top_builddir)/lib/libgnu.a $(LIBUTIL) $(PTY_LIB)
--- a/tests/crash-ftp-msg2021-12_04.bin
+++ b/tests/crash-ftp-msg2021-12_04.bin
--- a/tests/ftp-parser.sh
+++ b/tests/ftp-parser.sh
@@ -121,6 +121,13 @@ reply=`echo "$tell" | $FTP`
 test `echo "$reply" | $FGREP -c 'Nmap: (in) a (out) B'` -eq 1 \
 || { errno=1; echo >&2 'Failed to set file name mapping using single line.'; }

+# One line giving both patterns with tab between arguments to nmap.
+tell='nmap x	Y
+status'
+reply=`echo "$tell" | $FTP`
+test `echo "$reply" | $FGREP -c 'Nmap: (in) x (out) Y'` -eq 1 || { errno=1
+  echo >&2 'Failed to set file name mapping using tab between arguments.'; }
+
 # Second pattern on a line of its own.
 tell='nmap A
 b
@@ -138,6 +145,13 @@ reply=`echo "$tell" | $FTP`
 test `echo "$reply" | $FGREP -c 'Nmap: (in) c (out) D'` -eq 1 || { errno=1
  echo >&2 'Failed to set proxy file name mapping using single line.'; }

+# One line giving both patterns with tab between arguments to nmap.
+tell='proxy nmap X	y
+proxy status'
+reply=`echo "$tell" | $FTP`
+test `echo "$reply" | $FGREP -c 'Nmap: (in) X (out) y'` -eq 1 || { errno=1
+  echo >&2 'Failed to set proxy file name mapping (one line, tab b/w args).'; }
+
 # Second pattern on a line of its own.
 tell='proxy nmap C
 d
@@ -146,6 +160,14 @@ reply=`echo "$tell" | $FTP`
 test `echo "$reply" | $FGREP -c 'Nmap: (in) C (out) d'` -eq 1 || { errno=1
  echo >&2 'Failed to set proxy file name mapping using two lines.'; }

+# Proxy command on a separate line, tabs between arguments of nmap line.
+tell='proxy
+nmap	u	V
+proxy status'
+reply=`echo "$tell" | $FTP`
+test `echo "$reply" | $FGREP -c 'Nmap: (in) u (out) V'` -eq 1 || { errno=1
+  echo >&2 'Failed to set proxy file name mapping (two lines, tab b/w args).'; }
+
 # Both proxy command and second pattern on a line of its own.
 tell='proxy
 nmap e
--- a/tests/ftp-regressions.sh
+++ b/tests/ftp-regressions.sh
@@ -92,6 +92,19 @@ else
    $silence echo 'Input from message 2021-12/16 did not crash ftp.' >&2
 fi

+# Check regression of crash reported in:
+# https://lists.gnu.org/archive/html/bug-inetutils/2021-12/msg00004.html
+EFFORTS=`expr $EFFORTS + 1`
+$silence echo 'Checking ftp crash bug from message 2021-12/04...' >&2
+"$FTP" < "$srcdir"/crash-ftp-msg2021-12_04.bin >/dev/null 2>&1
+if test $? -ne 0; then
+    $silence echo 'Regression of ftp crash bug from message 2021-12/04.' >&2
+    RESULT=1
+else
+    SUCCESSES=`expr $SUCCESSES + 1`
+    $silence echo 'Input from message 2021-12/04 did not crash ftp.' >&2
+fi
+
 # Print test statistics.
 $silence echo
 test "$RESULT" -eq 0 && test "$SUCCESSES" -eq "$EFFORTS" && $silence false \