[src/netbsd-1-6]: src/libexec/talkd Pull up revision 1.14 (requested by itoju...

[lukem <lukem%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/bb411df8eabb
branches:  netbsd-1-6
changeset: 529134:bb411df8eabb
user:      lukem <lukem%NetBSD.org@localhost>
date:      Wed Oct 02 03:14:24 2002 +0000

description:
Pull up revision 1.14 (requested by itojun in ticket #846):
find_user() in process.c does an unbounded copy into a destination
buffer that is smaller in size than the source buffer.
also, there is no guarantee that any of the string components of
the request packet are null terminated.
in some cases, not all elements of the response buffer are
explicitly set. specifically pad and addr. a talk client can spy to
see which host is talking to which host by sending out regular
packets, to which talkd responds without clearing the addr element.
from xs%kittenz.org@localhost

diffstat:

 libexec/talkd/talkd.c |  13 +++++++++++--
 1 files changed, 11 insertions(+), 2 deletions(-)

diffs (53 lines):

diff -r 5b967df07824 -r bb411df8eabb libexec/talkd/talkd.c
--- a/libexec/talkd/talkd.c     Wed Oct 02 03:14:16 2002 +0000
+++ b/libexec/talkd/talkd.c     Wed Oct 02 03:14:24 2002 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: talkd.c,v 1.13 2001/09/27 14:38:58 christos Exp $      */
+/*     $NetBSD: talkd.c,v 1.13.2.1 2002/10/02 03:14:24 lukem Exp $     */
 
 /*
  * Copyright (c) 1983, 1993
@@ -43,7 +43,7 @@
 #if 0
 static char sccsid[] = "@(#)talkd.c    8.1 (Berkeley) 6/4/93";
 #else
-__RCSID("$NetBSD: talkd.c,v 1.13 2001/09/27 14:38:58 christos Exp $");
+__RCSID("$NetBSD: talkd.c,v 1.13.2.1 2002/10/02 03:14:24 lukem Exp $");
 #endif
 #endif /* not lint */
 
@@ -122,6 +122,7 @@
        signal(SIGALRM, timeout);
        alarm(TIMEOUT);
        for (;;) {
+               memset(&response, 0, sizeof(response));
                cc = recv(0, (char *)mp, sizeof (*mp), 0);
                if (cc != sizeof (*mp)) {
                        if (cc < 0 && errno != EINTR)
@@ -131,9 +132,15 @@
                lastmsgtime = time(0);
                process_request(mp, &response);
 
+               mp->l_name[sizeof(mp->l_name) - 1] = '\0';
+               mp->r_name[sizeof(mp->r_name) - 1] = '\0';
+               mp->r_tty[sizeof(mp->r_tty) - 1] = '\0';
+
                (void)memcpy(&ctl_addr, &mp->ctl_addr, sizeof(ctl_addr));
                ctl_addr.sa_family = mp->ctl_addr.sa_family;
                ctl_addr.sa_len = sizeof(ctl_addr);
+               if (ctl_addr.sa_family != AF_INET)
+                       continue;
 
                /* can block here, is this what I want? */
                cc = sendto(sockt, (char *)&response, sizeof (response), 0,
@@ -147,8 +154,10 @@
 timeout(n)
        int n;
 {
+       int save_errno = errno;
 
        if (time(0) - lastmsgtime >= MAXIDLE)
                _exit(0);
        alarm(TIMEOUT);
+       errno = save_errno;
 }