Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-1-6]: src/libexec/talkd Pull up revision 1.8 (requested by itojun...
details: https://anonhg.NetBSD.org/src/rev/469af336d824
branches: netbsd-1-6
changeset: 529135:469af336d824
user: lukem <lukem%NetBSD.org@localhost>
date: Wed Oct 02 03:14:31 2002 +0000
description:
Pull up revision 1.8 (requested by itojun in ticket #846):
find_user() in process.c does an unbounded copy into a destination
buffer that is smaller in size than the source buffer.
also, there is no guarantee that any of the string components of
the request packet are null terminated.
in some cases, not all elements of the response buffer are
explicitly set. specifically pad and addr. a talk client can spy to
see which host is talking to which host by sending out regular
packets, to which talkd responds without clearing the addr element.
from xs%kittenz.org@localhost
diffstat:
libexec/talkd/process.c | 42 ++++++++++++++++++++++--------------------
1 files changed, 22 insertions(+), 20 deletions(-)
diffs (109 lines):
diff -r bb411df8eabb -r 469af336d824 libexec/talkd/process.c
--- a/libexec/talkd/process.c Wed Oct 02 03:14:24 2002 +0000
+++ b/libexec/talkd/process.c Wed Oct 02 03:14:31 2002 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: process.c,v 1.6 1998/07/04 19:31:05 mrg Exp $ */
+/* $NetBSD: process.c,v 1.6.12.1 2002/10/02 03:14:31 lukem Exp $ */
/*
* Copyright (c) 1983, 1993
@@ -38,7 +38,7 @@
#if 0
static char sccsid[] = "@(#)process.c 8.2 (Berkeley) 11/16/93";
#else
-__RCSID("$NetBSD: process.c,v 1.6 1998/07/04 19:31:05 mrg Exp $");
+__RCSID("$NetBSD: process.c,v 1.6.12.1 2002/10/02 03:14:31 lukem Exp $");
#endif
#endif /* not lint */
@@ -78,27 +78,27 @@
rp->vers = TALK_VERSION;
rp->type = mp->type;
rp->id_num = htonl(0);
+ mp->id_num = ntohl(mp->id_num);
+ mp->addr.sa_family = ntohs(mp->addr.sa_family);
+ mp->ctl_addr.sa_family = ntohs(mp->ctl_addr.sa_family);
+ mp->pid = ntohl(mp->pid);
if (mp->vers != TALK_VERSION) {
syslog(LOG_WARNING, "Bad protocol version %d", mp->vers);
rp->answer = BADVERSION;
return;
}
- mp->id_num = ntohl(mp->id_num);
- mp->addr.sa_family = ntohs(mp->addr.sa_family);
if (mp->addr.sa_family != AF_INET) {
syslog(LOG_WARNING, "Bad address, family %d",
mp->addr.sa_family);
rp->answer = BADADDR;
return;
}
- mp->ctl_addr.sa_family = ntohs(mp->ctl_addr.sa_family);
if (mp->ctl_addr.sa_family != AF_INET) {
syslog(LOG_WARNING, "Bad control address, family %d",
mp->ctl_addr.sa_family);
rp->answer = BADCTLADDR;
return;
}
- mp->pid = ntohl(mp->pid);
if (debug || logging)
print_request("request", mp);
switch (mp->type) {
@@ -149,7 +149,7 @@
int result;
/* see if the user is logged */
- result = find_user(mp->r_name, mp->r_tty);
+ result = find_user(mp->r_name, mp->r_tty, sizeof(mp->r_tty));
if (result != SUCCESS) {
rp->answer = result;
return;
@@ -186,8 +186,9 @@
* Search utmp for the local user
*/
int
-find_user(name, tty)
+find_user(name, tty, ttysize)
char *name, *tty;
+ size_t ttysize;
{
struct utmp ubuf;
int status;
@@ -204,7 +205,7 @@
}
#define SCMPN(a, b) strncmp(a, b, sizeof (a))
status = NOT_HERE;
- (void) strcpy(ftty, _PATH_DEV);
+ (void) strlcpy(ftty, _PATH_DEV, sizeof(ftty));
if (*tty == '\0')
anytty = 1;
@@ -218,17 +219,18 @@
/* no particular tty was requested */
/* XXX strcpy is safe */
(void)strcpy(ftty + sizeof(_PATH_DEV) - 1, line);
- if (stat(ftty, &statb) == 0) {
- if (!(statb.st_mode & S_IWGRP)) {
- if (status != SUCCESS)
- status = PERMISSION_DENIED;
- continue;
- }
- if (statb.st_atime > atime) {
- atime = statb.st_atime;
- (void)strcpy(tty, line);
- status = SUCCESS;
- }
+ if (stat(ftty, &statb) != 0)
+ continue;
+
+ if (!(statb.st_mode & S_IWGRP)) {
+ if (status != SUCCESS)
+ status = PERMISSION_DENIED;
+ continue;
+ }
+ if (statb.st_atime > atime &&
+ strlcpy(tty, line, ttysize) < ttysize) {
+ atime = statb.st_atime;
+ status = SUCCESS;
}
} else if (strcmp(line, tty) == 0) {
status = SUCCESS;
Home |
Main Index |
Thread Index |
Old Index