netbsd-bugs: bin/2640: rlogin doesn't check bounds when copying env vars

Subject: bin/2640: rlogin doesn't check bounds when copying env vars
To: None <gnats-bugs@NetBSD.ORG>
From: None <kashmir@umiacs.UMD.EDU>
List: netbsd-bugs
Date: 07/17/1996 18:36:59

>Number:         2640
>Category:       bin
>Synopsis:       rlogin doesn't check bounds when copying env vars
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    bin-bug-people (Utility Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Jul 17 18:50:01 1996
>Last-Modified:
>Originator:     Mike Grupenhoff
>Organization:
	none
>Release:        Current as of 6/22
>Environment:
System: NetBSD snarf.umiacs.umd.edu 1.2_ALPHA NetBSD 1.2_ALPHA (SNARF) #118: Tue Jul 9 00:30:42 EDT 1996 kashmir@snarf.umiacs.umd.edu:/usr/src/sys/arch/i386/compile/SNARF i386

>Description:
	rlogin copies the TERM environment var into a temp buffer of size
	1024 using strcpy().  If TERM happens to be larger than 1024, bad
	things could happen.  rlogin is installed setuid root.
>How-To-Repeat:
	setenv TERM to something > 1024, and watch the stack get trashed.
>Fix:
	Paul Traina put the following fix into FreeBSD.

Index: rlogin.c
===================================================================
RCS file: /snarf/netbsd/master/src/usr.bin/rlogin/rlogin.c,v
retrieving revision 1.4
diff -u -r1.4 rlogin.c
--- rlogin.c	1995/12/06 17:53:11	1.4
+++ rlogin.c	1996/07/15 21:29:06
@@ -263,7 +263,7 @@
 		exit(1);
 	}
 
-	(void)strcpy(term, (p = getenv("TERM")) ? p : "network");
+	(void)strncpy(term, (p = getenv("TERM")) ? p : "network", sizeof(term));
 	if (tcgetattr(0, &tty) == 0) {
 		(void)strcat(term, "/");
 		(void)sprintf(term + strlen(term), "%d", cfgetospeed(&tty));
>Audit-Trail:
>Unformatted: