Date: Thu, 25 Jul 1996 23:39:56 -0700 (PDT) From: "David E. O'Brien" <obrien@Nuxi.cs.ucdavis.edu> To: vitjok@fasts.lv (Victor Rotanov) Cc: freebsd-security@freebsd.org Subject: Re: unofficial rlogin security patch Message-ID: <199607260639.XAA12397@relay.nuxi.com> In-Reply-To: <Pine.BSF.3.91.960724215007.1220A-100000@server.fasts.lv> from Victor Rotanov at "Jul 24, 96 09:52:17 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> ! > ! (void)strncpy(term, (p = getenv("TERM")) ? p : "network", 1016); > if (ioctl(0, TIOCGETP, &ttyb) == 0) { Except that you STILL left a big blowing hole. Now there is a chance term won't be nul terminated. From the man page: The strncpy() copies not more than len characters into dst, appending `\0' characters if src is less than len characters long, and not termi- nating dst if src is more than len characters long. Notice that strncpy() will NOT append '\0' if strlen(src) > n. Look at the real 2.1.5 patch and you will notice the ``term[1015] = '\0';'' instruction that is always needed after a strncpy(). -- David (obrien@cs.ucdavis.edu)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199607260639.XAA12397>