netbsd-bugs: bin/589: ntalkd can write bogus usernames to tty's.

Subject: bin/589: ntalkd can write bogus usernames to tty's.
To: None <gnats-admin@sun-lamp.cs.berkeley.edu>
From: matthew green <mrg@splode.mame.mu.OZ.AU>
List: netbsd-bugs
Date: 11/28/1994 03:35:06

>Number:         589
>Category:       bin
>Synopsis:       ntalkd can write bogus usernames to tty's.
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    gnats-admin (Utility Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Nov 28 03:35:04 1994
>Originator:     matthew green
>Organization:
bozotic softwar foundation
>Release:        25/11/94
>Environment:
System: NetBSD splode.mame.mu.OZ.AU 1.0A NetBSD 1.0A (_splode_) #54: Sat Nov 26 17:11:31 EST 1994 mrg@splode.mame.mu.OZ.AU:/splode/src/sys/arch/sparc/compile/_splode_ sparc


>Description:

	ntalkd can be used my malicous users to display any character
	sequence on a users display, such as "reset terminal". quite
	annoyin.
>How-To-Repeat:

	find a "flash.c" from the net an run "flash me@myhost" ....

>Fix:

apply this patch in /usr/src/libexec/ntalkd


*** announce.c.orig	Mon Nov 28 21:25:40 1994
--- announce.c	Mon Nov 28 21:30:08 1994
***************
*** 49,54 ****
--- 49,55 ----
  #include <stdio.h>
  #include <string.h>
  #include <paths.h>
+ #include <vis.h>
  
  extern char hostname[];
  
***************
*** 145,151 ****
--- 146,154 ----
  	char big_buf[N_LINES*N_CHARS];
  	char *bptr, *lptr;
  	int i, j, max_size;
+ 	char *vis_user = (char *) malloc((strlen(request->l_name) * 4) + 1);
  
+ 	strvis(vis_user, request->l_name, VIS_CSTYLE);
  	i = 0;
  	max_size = 0;
  	gettimeofday(&clock, &zone);
***************
*** 160,171 ****
  	max_size = max(max_size, sizes[i]);
  	i++;
  	(void)sprintf(line_buf[i], "talk: connection requested by %s@%s.",
! 		request->l_name, remote_machine);
  	sizes[i] = strlen(line_buf[i]);
  	max_size = max(max_size, sizes[i]);
  	i++;
  	(void)sprintf(line_buf[i], "talk: respond with:  talk %s@%s",
! 		request->l_name, remote_machine);
  	sizes[i] = strlen(line_buf[i]);
  	max_size = max(max_size, sizes[i]);
  	i++;
--- 163,175 ----
  	max_size = max(max_size, sizes[i]);
  	i++;
  	(void)sprintf(line_buf[i], "talk: connection requested by %s@%s.",
! 		vis_user, remote_machine);
  	sizes[i] = strlen(line_buf[i]);
  	max_size = max(max_size, sizes[i]);
  	i++;
  	(void)sprintf(line_buf[i], "talk: respond with:  talk %s@%s",
! 		vis_user, remote_machine);
! 	free(vis_user);
  	sizes[i] = strlen(line_buf[i]);
  	max_size = max(max_size, sizes[i]);
  	i++;
>Audit-Trail:
>Unformatted: