From owner-freebsd-bugs  Wed Jul 17 18:10:03 1996
Return-Path: owner-bugs
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id SAA05821
          for bugs-outgoing; Wed, 17 Jul 1996 18:10:03 -0700 (PDT)
Received: (from gnats@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id SAA05815;
          Wed, 17 Jul 1996 18:10:02 -0700 (PDT)
Resent-Date: Wed, 17 Jul 1996 18:10:02 -0700 (PDT)
Resent-Message-Id: <199607180110.SAA05815@freefall.freebsd.org>
Resent-From: gnats (GNATS Management)
Resent-To: freebsd-bugs
Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, skynyrd@opus.cts.cwu.edu
Received: from pahtoh.cwu.edu (root@pahtoh.cwu.edu [198.104.65.27])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id SAA05685
          for <FreeBSD-gnats-submit@freebsd.org>; Wed, 17 Jul 1996 18:09:12 -0700 (PDT)
Received: from opus.cts.cwu.edu (root@opus.cts.cwu.edu [198.104.65.210]) by pahtoh.cwu.edu (8.6.13/8.6.9) with ESMTP id SAA06873 for <FreeBSD-gnats-submit@freebsd.org>; Wed, 17 Jul 1996 18:09:11 -0700
Received: (from skynyrd@localhost) by opus.cts.cwu.edu (8.6.13/8.6.12) id SAA15567; Wed, 17 Jul 1996 18:09:11 -0700
Message-Id: <199607180109.SAA15567@opus.cts.cwu.edu>
Date: Wed, 17 Jul 1996 18:09:11 -0700
From: skynyrd@opus.cts.cwu.edu
Reply-To: skynyrd@opus.cts.cwu.edu
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.2
Subject: bin/1395: rshd syslog msg garbled by stale struct hostent ptr
Sender: owner-bugs@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk


>Number:         1395
>Category:       bin
>Synopsis:       rshd syslog msg garbled by stale struct hostent ptr
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jul 17 18:10:01 PDT 1996
>Last-Modified:
>Originator:     Chris Timmons
>Organization:
Central Washington University
>Release:        FreeBSD 2.x.x-RELEASE i386
>Environment:

	2.1-STABLE FreeBSD 2.1-STABLE #0: Mon Jul  8 21:26:23 PDT 1996

        /usr/src/libexec/rshd/rshd.c:
             static char sccsid[] = "@(#)rshd.c      8.2 (Berkeley) 4/6/94";
 
        Problem has been present at least since 2.0-R if my memory serves
        me right.


>Description:

When an rsh is denied by rshd because the client is lacking appropriate
.rhosts permission, an error message is formatted for syslog which contains
the client's hostname.  The hostname portion of the message relies on a pointer
to a field within gethostbyname()'s internal struct hostent which changes state 
between when the pointer is initialized and when it is dereferenced to create the 
message.

At line 325 in rshd.c the client hostname is obtained with gethostbyaddr().
By default, if the gethostbyaddr() returned a hostname, rshd will take this hostname 
and then do a forward lookup on it to see if there is a discrepency in the DNS.

At line 339, the result of the query of line 325 is copied into the char array
of name "remotehost".  Subsequently, gethostbyname() is called and the resulting
response is searched for the client's IP address.

If there is no discrepency in the DNS per this check, the (char *) variable of name 
"hostname" is set on line 364 to point at gethostbyname()'s struct hostent h_name 
field, which at that instant contains the client's hostname.
	
When variable "hostent" is subsequently dereferenced on line 460, the resolver
routines have been called in the interim, and the value of h_name is typically
garbage.


>How-To-Repeat:

Allow inetd to start rshd on host S from host C (i.e. if you have tcpd
make sure it is letting rshd start.)

See that you are receiving auth.info syslog messages someplace (in 
/var/log/messages by the default /etc/syslog.conf.)

>From host C, send an rsh command such as 'w' to host S for an account
which will be denied access based on .rhosts permissions.

The hostname portion of the message is typically incorrect, especially
when the client has a long hostname.

rshd[13506]: root@cruft.bad.here as root: permission denied. cmd='w'
                  ^^^^^^^^^^^^^^
>Fix:
	
The transfer of the client's hostname into the array "remotehost" 
at line 339 provides an unmolested copy of the client's hostname from 
which to draw upon when constructing error messages containing the client's 
hostname.

Line 364 is executed when rshd discovers that the forward and inverse
dns lookups for the client's ip address are in agreement.  Instead of
setting the variable "hostname" to point into the resolver's copy of the 
hostname at that instant, set "hostname" to point at "remotehost" instead,
which will keep a clean copy for us.

*** rshd.c	1996/07/17 22:43:25	1.1
--- rshd.c	1996/07/18 00:12:18
***************
*** 361,367 ****
  				if (!bcmp(hp->h_addr_list[0],
  				    (caddr_t)&fromp->sin_addr,
  				    sizeof(fromp->sin_addr))) {
! 					hostname = hp->h_name;
  					break;
  				}
  			}
--- 361,367 ----
  				if (!bcmp(hp->h_addr_list[0],
  				    (caddr_t)&fromp->sin_addr,
  				    sizeof(fromp->sin_addr))) {
! 					hostname = remotehost;
  					break;
  				}
  			}

>Audit-Trail:
>Unformatted: