From owner-freebsd-security  Thu Jul 25 23:40:36 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id XAA02240
          for security-outgoing; Thu, 25 Jul 1996 23:40:36 -0700 (PDT)
Received: from relay.nuxi.com (nuxi.cs.ucdavis.edu [128.120.56.38])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id XAA02230
          for <freebsd-security@freebsd.org>; Thu, 25 Jul 1996 23:40:24 -0700 (PDT)
Received: (from obrien@localhost) by relay.nuxi.com (8.6.12/8.6.12) id XAA12397; Thu, 25 Jul 1996 23:39:57 -0700
From: "David E. O'Brien" <obrien@Nuxi.cs.ucdavis.edu>
Message-Id: <199607260639.XAA12397@relay.nuxi.com>
Subject: Re: unofficial rlogin security patch
To: vitjok@fasts.lv (Victor Rotanov)
Date: Thu, 25 Jul 1996 23:39:56 -0700 (PDT)
Cc: freebsd-security@freebsd.org
In-Reply-To: <Pine.BSF.3.91.960724215007.1220A-100000@server.fasts.lv> from Victor Rotanov at "Jul 24, 96 09:52:17 pm"
X-PGP-Fingerprint: B7 4D 3E E9 11 39 5F A3  90 76 5D 69 58 D9 98 7A
X-Pgp-Keyid: 34F9F9D5
X-Mailer: ELM [version 2.4ME+ PL22 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

> ! 	
> ! 	(void)strncpy(term, (p = getenv("TERM")) ? p : "network", 1016);
>   	if (ioctl(0, TIOCGETP, &ttyb) == 0) {

Except that you STILL left a big blowing hole.  Now there is a chance
term won't be nul terminated.  From the man page:

     The strncpy() copies not more than len characters into dst, appending
     `\0' characters if src is less than len characters long, and not termi-
     nating dst if src is more than len characters long.

Notice that strncpy() will NOT append '\0' if strlen(src) > n.  Look at
the real 2.1.5 patch and you will notice the ``term[1015] = '\0';''
instruction that is always needed after a strncpy().

-- David    (obrien@cs.ucdavis.edu)