>Number:         23616
>Category:       bin
>Synopsis:       login might not back-off as expected
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Dec 02 00:09:00 UTC 2003
>Closed-Date:
>Last-Modified:
>Originator:     
>Release:        NetBSD 1.6ZF
>Organization:
>Environment:
System: NetBSD cyclonus 1.6ZF NetBSD 1.6ZF (STARSCREAM) #0: Sun Nov 30 01:56:21 CET 2003 bin@cyclonus:/usr/build/obj/sys/arch/i386/compile/STARSCREAM i386
Architecture: i386
Machine: i386
>Description:

Due to a hardcoded value in the back-off time calculation code the 
time to back-off can become negative. As this value is (automatically)
casted to an unsigned int, sleep() is called with a pretty uge value.
As this exceeds 1000000000 sleep returns immediately. This happens
for at most every 4 first login tries. The fact that login-backoff is
not always 3 because it's configurable was probably to overseen or
the code wasn't updated when the feature was added.

>How-To-Repeat:

Edit /etc/login.conf and add login-backoff=1 to any class. Try to
login as a user of this class and use a wrong password. Be surprised
that backing off starts even later.

>Fix:

Index: login.c
===================================================================
RCS file: /cvsroot/src/usr.bin/login/login.c,v
retrieving revision 1.75
diff -u -r1.75 login.c
--- login.c	2003/10/16 05:31:47	1.75
+++ login.c	2003/12/01 23:45:10
@@ -512,7 +512,7 @@
 				badlogin(username);
 				sleepexit(1);
 			}
-			sleep((u_int)((cnt - 3) * 5));
+			sleep((u_int)((cnt - login_backoff) * 5));
 		}
 	}
 
>Release-Note:
>Audit-Trail:
>Unformatted: