>Number:         21201
>Category:       bin
>Synopsis:       Virtual buffer overrun in rcp
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Apr 16 03:57:01 UTC 2003
>Closed-Date:
>Last-Modified:
>Originator:     Christian Biere
>Release:        NetBSD 1.6Q
>Organization:
>Environment:

>Description:
This bug is only virtual as the code is never compiled (currently).
However, someone might fix other problems so that it compiles and
might oversee this bug. The bug is that strncpy() is used
without verifying whether the input buffer contained a too large string.
This means dest_realm and dest_realm_buf might not be nul-terminated
(which *might* not be a problem) and it might blindly (or
willingly) truncate the input which *is always* a problem.

>How-To-Repeat:

(ATM, support for -k is neither compiled nor compileable - which isn't
mentioned in the manpage, BTW)

/bin/rcp -k 0123456789012345678901234567890123456789

>Fix:

--Multipart_Wed__16_Apr_2003_05:56:44_+0200_081a3c00
Content-Type: text/plain;
 name="rcp.c.udif"
Content-Disposition: attachment;
 filename="rcp.c.udif"
Content-Transfer-Encoding: 7bit

Index: rcp.c
===================================================================
RCS file: /cvsroot/src/bin/rcp/rcp.c,v
retrieving revision 1.30
diff -u -r1.30 rcp.c
--- rcp.c	2002/11/22 21:46:02	1.30
+++ rcp.c	2003/04/16 03:41:23
@@ -135,7 +135,8 @@
 #ifdef	KERBEROS
 		case 'k':
 			dest_realm = dst_realm_buf;
-			(void)strncpy(dst_realm_buf, optarg, REALM_SZ);
+			if (strlcpy(dst_realm_buf, optarg, REALM_SZ) >= REALM_SZ);
+				errx(1, "Argument `realm' is too long.");
 			break;
 #ifdef CRYPT
 		case 'x':

--Multipart_Wed__16_Apr_2003_05:56:44_+0200_081a3c00--
>Release-Note:
>Audit-Trail:
>Unformatted:
 This is a multi-part message in MIME format.
 
 --Multipart_Wed__16_Apr_2003_05:56:44_+0200_081a3c00
 Content-Type: text/plain; charset=US-ASCII
 Content-Transfer-Encoding: 7bit