Subject: bin/3695: rsh sends corrupted commands
To: None <gnats-bugs@gnats.netbsd.org>
From: Juergen Hannken-Illjes <hannken@ppp-jhi.eis.cs.tu-bs.de>
List: netbsd-bugs
Date: 06/01/1997 21:51:50
>Number: 3695
>Category: bin
>Synopsis: rsh sends corrupted commands
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: bin-bug-people (Utility Bug People)
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Jun 1 13:05:00 1997
>Last-Modified:
>Originator: Juergen Hannken-Illjes
>Organization:
TU Braunschweig / Abt EIS
>Release: <NetBSD-current source date>tar-balls as of May, 31 1997
>Environment:
System: NetBSD home 1.2E NetBSD 1.2E (CUSTOM) #67: Sat May 31 22:16:15 MEST 1997 hannken@home:/usr/src/sys/arch/i386/compile/CUSTOM i386
>Description:
rsh corrupts the command sent to the remote host.
>How-To-Repeat:
run ``rsh args argg ...''
>Fix:
Use strcpy instaed of strcat because "*p++ = ' '" leaves p without
terminating '\0'.
--- rsh.c Tue May 27 11:36:22 1997
+++ rsh.c Sun Jun 1 21:41:35 1997
@@ -523,9 +523,9 @@
cc += strlen(*ap) + 1;
if (!(args = malloc((u_int)cc)))
errx(1, "%s", strerror(ENOMEM));
for (p = args, *p = '\0', ap = argv; *ap; ++ap) {
- strcat(p, *ap);
+ strcpy(p, *ap);
p += strlen(p);
if (ap[1])
*p++ = ' ';
}
>Audit-Trail:
>Unformatted: