Date: Tue, 5 May 1998 21:41:03 GMT From: dan@obluda.cz To: FreeBSD-gnats-submit@FreeBSD.ORG Subject: bin/6529: potential timing problem with login after bad password given Message-ID: <199805052141.VAA03558@danio.cz>
next in thread | raw e-mail | index | archive | help
>Number: 6529 >Category: bin >Synopsis: potential timing problem with login after bad password given >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue May 5 17:20:01 PDT 1998 >Last-Modified: >Originator: Dan Lukes >Organization: Dan Lukes >Release: FreeBSD 2.2.6-RELEASE i386 >Environment: no special environment settings, standard instalation "$Id: login.c,v 1.12.2.9 1998/02/18 12:07:42 markm Exp $" >Description: /usr.sbin/login/login.c: The variable "backoff" is initialized (source line 267) from login-backoff tag of login capabilities database or (source line 272) from DEFAULT_BACKOFF (=3, see line 123). Imagine than an user give a bad password and see source line 513. If "cnt" variable (number of attempts) is greater than "backoff" then sleep is called. The problem is with sleep argument. ((cnt - 3) * 5) can be negative number if "backoff" is less than 2. If login capabilities database/login-backoff tag is set to less than 2 by administrator and user give bad password then sleep on line 518 cause to sleep until login timeout-ed (or SIGINT or SIGQUIT). Similar situation occur if the #define DEFAULT_BACKOFF (line 272) will be changed to 1 or less and apropriate tag isn't present or login capabilities functions aren't compiled in. IMHO, this inconsistence is related to adding of login_capabilities_database support to login program, but this part of program remain intact with old coded-in constants. >How-To-Repeat: Add :login-backoff=1: tag to /etc/login.conf, class default, (re)start login program on a tty and try login with bad password (two attempts). login will sleep until SIGINT, SIGQUIT or login timeout. >Fix: Change line 518 of login.c from sleep((u_int)((cnt - 3) * 5)); to sleep((u_int)((cnt - backoff) * 5)); Recompile and reinstall login program. The workaround is set the login-backoff tag to 3 or more or remove this tag from login.conf database. >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199805052141.VAA03558>