Subject: bin/2640: rlogin doesn't check bounds when copying env vars
To: None <gnats-bugs@NetBSD.ORG>
From: None <kashmir@umiacs.UMD.EDU>
List: netbsd-bugs
Date: 07/17/1996 18:36:59
>Number: 2640
>Category: bin
>Synopsis: rlogin doesn't check bounds when copying env vars
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: bin-bug-people (Utility Bug People)
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Jul 17 18:50:01 1996
>Last-Modified:
>Originator: Mike Grupenhoff
>Organization:
none
>Release: Current as of 6/22
>Environment:
System: NetBSD snarf.umiacs.umd.edu 1.2_ALPHA NetBSD 1.2_ALPHA (SNARF) #118: Tue Jul 9 00:30:42 EDT 1996 kashmir@snarf.umiacs.umd.edu:/usr/src/sys/arch/i386/compile/SNARF i386
>Description:
rlogin copies the TERM environment var into a temp buffer of size
1024 using strcpy(). If TERM happens to be larger than 1024, bad
things could happen. rlogin is installed setuid root.
>How-To-Repeat:
setenv TERM to something > 1024, and watch the stack get trashed.
>Fix:
Paul Traina put the following fix into FreeBSD.
Index: rlogin.c
===================================================================
RCS file: /snarf/netbsd/master/src/usr.bin/rlogin/rlogin.c,v
retrieving revision 1.4
diff -u -r1.4 rlogin.c
--- rlogin.c 1995/12/06 17:53:11 1.4
+++ rlogin.c 1996/07/15 21:29:06
@@ -263,7 +263,7 @@
exit(1);
}
- (void)strcpy(term, (p = getenv("TERM")) ? p : "network");
+ (void)strncpy(term, (p = getenv("TERM")) ? p : "network", sizeof(term));
if (tcgetattr(0, &tty) == 0) {
(void)strcat(term, "/");
(void)sprintf(term + strlen(term), "%d", cfgetospeed(&tty));
>Audit-Trail:
>Unformatted: