Date: Wed, 17 Jul 1996 18:09:11 -0700 From: skynyrd@opus.cts.cwu.edu To: FreeBSD-gnats-submit@freebsd.org Subject: bin/1395: rshd syslog msg garbled by stale struct hostent ptr Message-ID: <199607180109.SAA15567@opus.cts.cwu.edu> Resent-Message-ID: <199607180110.SAA05815@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 1395
>Category: bin
>Synopsis: rshd syslog msg garbled by stale struct hostent ptr
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Jul 17 18:10:01 PDT 1996
>Last-Modified:
>Originator: Chris Timmons
>Organization:
Central Washington University
>Release: FreeBSD 2.x.x-RELEASE i386
>Environment:
2.1-STABLE FreeBSD 2.1-STABLE #0: Mon Jul 8 21:26:23 PDT 1996
/usr/src/libexec/rshd/rshd.c:
static char sccsid[] = "@(#)rshd.c 8.2 (Berkeley) 4/6/94";
Problem has been present at least since 2.0-R if my memory serves
me right.
>Description:
When an rsh is denied by rshd because the client is lacking appropriate
.rhosts permission, an error message is formatted for syslog which contains
the client's hostname. The hostname portion of the message relies on a pointer
to a field within gethostbyname()'s internal struct hostent which changes state
between when the pointer is initialized and when it is dereferenced to create the
message.
At line 325 in rshd.c the client hostname is obtained with gethostbyaddr().
By default, if the gethostbyaddr() returned a hostname, rshd will take this hostname
and then do a forward lookup on it to see if there is a discrepency in the DNS.
At line 339, the result of the query of line 325 is copied into the char array
of name "remotehost". Subsequently, gethostbyname() is called and the resulting
response is searched for the client's IP address.
If there is no discrepency in the DNS per this check, the (char *) variable of name
"hostname" is set on line 364 to point at gethostbyname()'s struct hostent h_name
field, which at that instant contains the client's hostname.
When variable "hostent" is subsequently dereferenced on line 460, the resolver
routines have been called in the interim, and the value of h_name is typically
garbage.
>How-To-Repeat:
Allow inetd to start rshd on host S from host C (i.e. if you have tcpd
make sure it is letting rshd start.)
See that you are receiving auth.info syslog messages someplace (in
/var/log/messages by the default /etc/syslog.conf.)
>From host C, send an rsh command such as 'w' to host S for an account
which will be denied access based on .rhosts permissions.
The hostname portion of the message is typically incorrect, especially
when the client has a long hostname.
rshd[13506]: root@cruft.bad.here as root: permission denied. cmd='w'
^^^^^^^^^^^^^^
>Fix:
The transfer of the client's hostname into the array "remotehost"
at line 339 provides an unmolested copy of the client's hostname from
which to draw upon when constructing error messages containing the client's
hostname.
Line 364 is executed when rshd discovers that the forward and inverse
dns lookups for the client's ip address are in agreement. Instead of
setting the variable "hostname" to point into the resolver's copy of the
hostname at that instant, set "hostname" to point at "remotehost" instead,
which will keep a clean copy for us.
*** rshd.c 1996/07/17 22:43:25 1.1
--- rshd.c 1996/07/18 00:12:18
***************
*** 361,367 ****
if (!bcmp(hp->h_addr_list[0],
(caddr_t)&fromp->sin_addr,
sizeof(fromp->sin_addr))) {
! hostname = hp->h_name;
break;
}
}
--- 361,367 ----
if (!bcmp(hp->h_addr_list[0],
(caddr_t)&fromp->sin_addr,
sizeof(fromp->sin_addr))) {
! hostname = remotehost;
break;
}
}
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199607180109.SAA15567>