From 1b937c6994b16334cbec599be77c3f3917e18c8c Mon Sep 17 00:00:00 2001
From: Sebastian Huber <sebastian.huber@embedded-brains.de>
Date: Tue, 29 Jan 2013 14:12:20 +0100
Subject: ftpd: Check the root and current directory change

Only continue the session if the root and current directory change was
successful, otherwise the FTP server may access restricted file system
areas.
---
 cpukit/ftpd/ftpd.c | 48 ++++++++++++++++++++++++++++--------------------
 1 file changed, 28 insertions(+), 20 deletions(-)

(limited to 'cpukit/ftpd')

diff --git a/cpukit/ftpd/ftpd.c b/cpukit/ftpd/ftpd.c
index 8ffd878d2d..3b77b3bf33 100644
--- a/cpukit/ftpd/ftpd.c
+++ b/cpukit/ftpd/ftpd.c
@@ -1914,39 +1914,49 @@ session(rtems_task_argument arg)
   while(1)
   {
     rtems_event_set set;
+    int rv;
 
     rtems_event_receive(FTPD_RTEMS_EVENT, RTEMS_EVENT_ANY, RTEMS_NO_TIMEOUT,
       &set);
 
     chroot_made = chroot_made || chroot(ftpd_root) == 0;
 
-    errno = 0;
+    rv = chroot_made ? chdir("/") : -1;
 
-    send_reply(info, 220, FTPD_SERVER_MESSAGE);
+    errno = 0;
 
-    while (1)
+    if (rv == 0)
     {
-      char buf[FTPD_BUFSIZE];
-      char *cmd, *opts, *args;
+      send_reply(info, 220, FTPD_SERVER_MESSAGE);
 
-      if (fgets(buf, FTPD_BUFSIZE, info->ctrl_fp) == NULL)
+      while (1)
       {
-        syslog(LOG_INFO, "ftpd: Connection aborted.");
-        break;
-      }
+        char buf[FTPD_BUFSIZE];
+        char *cmd, *opts, *args;
 
-      split_command(buf, &cmd, &opts, &args);
+        if (fgets(buf, FTPD_BUFSIZE, info->ctrl_fp) == NULL)
+        {
+          syslog(LOG_INFO, "ftpd: Connection aborted.");
+          break;
+        }
 
-      if (!strcmp("QUIT", cmd))
-      {
-        send_reply(info, 221, "Goodbye.");
-        break;
-      }
-      else
-      {
-        exec_command(info, cmd, args);
+        split_command(buf, &cmd, &opts, &args);
+
+        if (!strcmp("QUIT", cmd))
+        {
+          send_reply(info, 221, "Goodbye.");
+          break;
+        }
+        else
+        {
+          exec_command(info, cmd, args);
+        }
       }
     }
+    else
+    {
+      send_reply(info, 421, "Service not available, closing control connection.");
+    }
 
     /* Close connection and put ourselves back into the task pool. */
     close_data_socket(info);
@@ -1954,8 +1964,6 @@ session(rtems_task_argument arg)
     free(info->user);
     free(info->pass);
     task_pool_release(info);
-
-    chdir("/");
   }
 }
 
-- 
cgit v1.2.3