From owner-freebsd-bugs@FreeBSD.ORG  Fri Sep 17 13:20:01 2010
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id CE47F106564A
	for <freebsd-bugs@hub.freebsd.org>;
	Fri, 17 Sep 2010 13:20:01 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 8CE488FC22
	for <freebsd-bugs@hub.freebsd.org>;
	Fri, 17 Sep 2010 13:20:01 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o8HDK1ph079252
	for <freebsd-bugs@freefall.freebsd.org>; Fri, 17 Sep 2010 13:20:01 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o8HDK1Gg079251;
	Fri, 17 Sep 2010 13:20:01 GMT (envelope-from gnats)
Resent-Date: Fri, 17 Sep 2010 13:20:01 GMT
Resent-Message-Id: <201009171320.o8HDK1Gg079251@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Andrey Ignatov <rdna@rdna.ru>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 52F951065694
	for <FreeBSD-gnats-submit@freebsd.org>;
	Fri, 17 Sep 2010 13:14:36 +0000 (UTC) (envelope-from rdna@rdna.ru)
Received: from mail-ew0-f54.google.com (mail-ew0-f54.google.com
	[209.85.215.54])
	by mx1.freebsd.org (Postfix) with ESMTP id E5F418FC0C
	for <FreeBSD-gnats-submit@freebsd.org>;
	Fri, 17 Sep 2010 13:14:35 +0000 (UTC)
Received: by ewy22 with SMTP id 22so1191804ewy.13
	for <FreeBSD-gnats-submit@freebsd.org>;
	Fri, 17 Sep 2010 06:14:35 -0700 (PDT)
Received: by 10.213.4.81 with SMTP id 17mr3844270ebq.90.1284727646057;
	Fri, 17 Sep 2010 05:47:26 -0700 (PDT)
Received: from localhost (dhcp170-128-red.yandex.net [95.108.170.128])
	by mx.google.com with ESMTPS id a48sm5687225eei.12.2010.09.17.05.47.24
	(version=TLSv1/SSLv3 cipher=RC4-MD5);
	Fri, 17 Sep 2010 05:47:25 -0700 (PDT)
Message-Id: <4c93635d.487e0e0a.167c.1f1b@mx.google.com>
Date: Fri, 17 Sep 2010 05:47:25 -0700 (PDT)
From: Andrey Ignatov <rdna@rdna.ru>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Cc: 
Subject: bin/150648: rshd(8): Incorrect determination of length of user name.
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Andrey Ignatov <rdna@rdna.ru>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Sep 2010 13:20:02 -0000


>Number:         150648
>Category:       bin
>Synopsis:       rshd(8): Incorrect determination of length of user name.
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Sep 17 13:20:00 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Andrey Ignatov
>Release:        FreeBSD 7.2-STABLE amd64
>Organization:
>Environment:
System: FreeBSD xxxxx.ru 7.2-STABLE FreeBSD 7.2-STABLE #0 r199991M: Fri Dec 18 16:02:18 MSK 2009 root@xxxxx.ru:/path/to/obj/dir/MYKERNEL amd64

>Description:
man 8 rshd:
-->
DESCRIPTION
	...
     6.   A null terminated user name of at most 16 characters is retrieved on
	  the initial socket.  This user name is interpreted as a user iden-
	  tity to use on the server's machine.
	...
DIAGNOSTICS
	...
     Ruser too long.
	     The name of the user on the remote machine is longer than 16
	     characters.
	...
<--

But user with length of name at 15 characters (15 + '\0' = 16)
can't run the command via rsh on host. He get "Ruser too long".

This bug is critical for one of my users. Length of his name is 15
characters :)

>How-To-Repeat:
1. On host1 (rsh-server):
# testuser=$(jot -b u -s "" 15)
# echo ${#testuser}
15
# pw useradd $testuser -u 12345 -c "Test user" -d /home/test -g operator -m -w no -s /bin/sh
# pw usershow $testuser
uuuuuuuuuuuuuuu:*:12345:5::0:0:Test user:/home/test:/bin/sh

2. On host2 (client):
# testuser=$(jot -b u -s "" 15)
# echo ${#testuser}
15
# pw useradd $testuser -u 12345 -c "Test user" -d /home/test -g operator -m -w no -s /bin/sh
# pw usershow $testuser
uuuuuuuuuuuuuuu:*:12345:5::0:0:Test user:/home/test:/bin/sh
# su -l $testuser
$ id
uid=12345(uuuuuuuuuuuuuuu) gid=5(operator) groups=5(operator)	
$ rsh host1 hostname
rshd: ruser too long


>Fix:

--- libexec/rshd/rshd.c.orig	2010-09-15 16:07:06.000000000 +0400
+++ libexec/rshd/rshd.c	2010-09-15 16:07:37.000000000 +0400
@@ -538,7 +538,7 @@
 		if (read(STDIN_FILENO, &c, 1) != 1)
 			exit(1);
 		*buf++ = c;
-		if (--cnt == 0)
+		if (cnt-- == 0)
 			rshd_errx(1, "%s too long", error);
 	} while (c != 0);
 }


>Release-Note:
>Audit-Trail:
>Unformatted: