Subject: bin/21201: Virtual bug in rcp
To: None <>
From: Christian Biere <>
List: netbsd-bugs
Date: 04/16/2003 05:56:44
>Number:         21201
>Category:       bin
>Synopsis:       Virtual buffer overrun in rcp
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Apr 16 03:57:01 UTC 2003
>Originator:     Christian Biere
>Release:        NetBSD 1.6Q

This bug is only virtual as the code is never compiled (currently).
However, someone might fix other problems so that it compiles and
might oversee this bug. The bug is that strncpy() is used
without verifying whether the input buffer contained a too large string.
This means dest_realm and dest_realm_buf might not be nul-terminated
(which *might* not be a problem) and it might blindly (or
willingly) truncate the input which *is always* a problem.


(ATM, support for -k is neither compiled nor compileable - which isn't
mentioned in the manpage, BTW)

/bin/rcp -k 0123456789012345678901234567890123456789


Content-Type: text/plain;
Content-Disposition: attachment;
Content-Transfer-Encoding: 7bit

Index: rcp.c
RCS file: /cvsroot/src/bin/rcp/rcp.c,v
retrieving revision 1.30
diff -u -r1.30 rcp.c
--- rcp.c	2002/11/22 21:46:02	1.30
+++ rcp.c	2003/04/16 03:41:23
@@ -135,7 +135,8 @@
 #ifdef	KERBEROS
 		case 'k':
 			dest_realm = dst_realm_buf;
-			(void)strncpy(dst_realm_buf, optarg, REALM_SZ);
+			if (strlcpy(dst_realm_buf, optarg, REALM_SZ) >= REALM_SZ);
+				errx(1, "Argument `realm' is too long.");
 #ifdef CRYPT
 		case 'x':

 This is a multi-part message in MIME format.
 Content-Type: text/plain; charset=US-ASCII
 Content-Transfer-Encoding: 7bit