netbsd-bugs: bin/4284: yet another wrong rcmd call

Subject: bin/4284: yet another wrong rcmd call
To: None <gnats-bugs@gnats.netbsd.org>
From: Tatoku Ogaito <tacha@tera.fukui-med.ac.jp>
List: netbsd-bugs
Date: 10/17/1997 22:41:33
>Number:         4284
>Category:       bin
>Synopsis:       yet another wrong rcmd call
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people (Utility Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Oct 17 06:50:05 1997
>Last-Modified:
>Originator:     Tatoku Ogaito
>Organization:
-----            : Tatoku Ogaito
   / _  _ _/ _   : Department of Physics, Fukui Medical University
  / (_|(_ /)(_|  : E-mail: tacha@tera.fukui-med.ac.jp
>Release:        1997/10/17
>Environment:
	
System: NetBSD tera.fukui-med.ac.jp 1.2G NetBSD 1.2G (TERA) #96: Fri Oct 17 13:00:53 JST 1997 root@tera.fukui-med.ac.jp:/usr/current/src/sys/arch/i386/compile/TERA i386


>Description:
	the function tolocal in bin/rcp/rcp.c invoke
rcmd(3) with getpwent(3) results. So under some condition,
rcp will fail.  

>How-To-Repeat:
	look rcp.c and the bug section of rcmd(3).
>Fix:
*** bin/rcp/rcp.c.orig	Sun Sep 14 20:06:32 1997
--- bin/rcp/rcp.c	Fri Oct 17 22:36:45 1997
***************
*** 332,339 ****
  	char *argv[];
  {
  	int i, len;
! 	char *bp, *host, *src, *suser;
  
  	for (i = 0; i < argc - 1; i++) {
  		if (!(src = colon(argv[i]))) {		/* Local to local. */
  			len = strlen(_PATH_CP) + strlen(argv[i]) +
--- 332,342 ----
  	char *argv[];
  {
  	int i, len;
! 	char *bp, *host, *src, *suser, *user;
  
+ 	if (NULL == (user = strdup(pwd->pw_name)))
+ 		err(1,"malloc");
+ 		
  	for (i = 0; i < argc - 1; i++) {
  		if (!(src = colon(argv[i]))) {		/* Local to local. */
  			len = strlen(_PATH_CP) + strlen(argv[i]) +
***************
*** 353,364 ****
  			src = ".";
  		if ((host = strchr(argv[i], '@')) == NULL) {
  			host = argv[i];
! 			suser = pwd->pw_name;
  		} else {
  			*host++ = 0;
  			suser = argv[i];
  			if (*suser == '\0')
! 				suser = pwd->pw_name;
  			else if (!okname(suser))
  				continue;
  		}
--- 356,367 ----
  			src = ".";
  		if ((host = strchr(argv[i], '@')) == NULL) {
  			host = argv[i];
! 			suser = user;
  		} else {
  			*host++ = 0;
  			suser = argv[i];
  			if (*suser == '\0')
! 				suser = user;
  			else if (!okname(suser))
  				continue;
  		}
***************
*** 369,377 ****
  		rem = 
  #ifdef KERBEROS
  		    use_kerberos ? 
! 			kerberos(&host, bp, pwd->pw_name, suser) : 
  #endif
! 			rcmd(&host, port, pwd->pw_name, suser, bp, 0);
  		(void)free(bp);
  		if (rem < 0) {
  			++errs;
--- 372,380 ----
  		rem = 
  #ifdef KERBEROS
  		    use_kerberos ? 
! 			kerberos(&host, bp, user, suser) : 
  #endif
! 			rcmd(&host, port, user, suser, bp, 0);
  		(void)free(bp);
  		if (rem < 0) {
  			++errs;
>Audit-Trail:
>Unformatted: