From owner-freebsd-bugs Tue May 28 15:10:10 1996 Return-Path: owner-bugs Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id PAA06030 for bugs-outgoing; Tue, 28 May 1996 15:10:10 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id PAA05990; Tue, 28 May 1996 15:10:04 -0700 (PDT) Resent-Date: Tue, 28 May 1996 15:10:04 -0700 (PDT) Resent-Message-Id: <199605282210.PAA05990@freefall.freebsd.org> Resent-From: gnats (GNATS Management) Resent-To: freebsd-bugs Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, gemini@who.cdrom.com Received: from who.cdrom.com (who.cdrom.com [204.216.27.3]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id PAA05580 for ; Tue, 28 May 1996 15:08:11 -0700 (PDT) Received: from unlisys.unlisys.NET (unlisys.unlisys.net [194.64.15.1]) by who.cdrom.com (8.6.12/8.6.11) with SMTP id NAA07844 for ; Tue, 28 May 1996 13:06:48 -0700 Received: by unlisys.unlisys.NET from geminix.snafu.de with bsmtp (Smail3.1.28.1 [@@]) id m0uOREi-000aBDC; Tue, 28 May 96 18:03 MET DST Received: by geminix.snafu.de (Smail3.1.29.1) id ; Tue, 28 May 96 12:13 MET DST Message-Id: Date: Tue, 28 May 96 12:13 MET DST From: gemini@geminix.snafu.de Reply-To: gemini@who.cdrom.com To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: bin/1273: Bug in rshd Sender: owner-bugs@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >Number: 1273 >Category: bin >Synopsis: remote hostname gets corrupted in rshd >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue May 28 15:10:02 PDT 1996 >Last-Modified: >Originator: Uwe Doering >Organization: >Release: FreeBSD 2.1-STABLE i386 >Environment: >Description: After rshd looked up the remote host name by calling gethostbyaddr(), it calls iruserok() which internaly calls gethostbyaddr() as well and therefore corrupts the host name returned by the first call to this function. >How-To-Repeat: >From a machine that is neither in /etc/hosts.equiv nor in ~/.rhosts, `rsh -K' to a host running FreeBSD 2.1R or -stable and look at the remote host name in the `permission denied' line in /var/log/messages. It's very likely wrong, corrupted or missing at all. >Fix: Copy the remote host name into a private buffer so that it is protected from network library functions. Here's the fix: --- rshd.c-dist Sat Sep 2 16:40:24 1995 +++ rshd.c Thu May 23 14:04:46 1996 @@ -200,6 +200,7 @@ char *cp, sig, buf[BUFSIZ]; char cmdbuf[NCARGS+1], locuser[16], remuser[16]; char remotehost[2 * MAXHOSTNAMELEN + 1]; + char rremotehost[2 * MAXHOSTNAMELEN + 1]; #ifdef KERBEROS AUTH_DAT *kdata = (AUTH_DAT *) NULL; @@ -332,13 +333,13 @@ * address corresponds to the name. */ hostname = hp->h_name; + strncpy(remotehost, hp->h_name, sizeof(remotehost) - 1); + remotehost[sizeof(remotehost) - 1] = 0; + errorhost = remotehost; #ifdef KERBEROS if (!use_kerberos) #endif if (check_all || local_domain(hp->h_name)) { - strncpy(remotehost, hp->h_name, sizeof(remotehost) - 1); - remotehost[sizeof(remotehost) - 1] = 0; - errorhost = remotehost; hp = gethostbyname(remotehost); if (hp == NULL) { syslog(LOG_INFO, @@ -366,8 +367,15 @@ } } } - } else - errorhost = hostname = inet_ntoa(fromp->sin_addr); + strncpy(rremotehost, hostname, sizeof(rremotehost) - 1); + rremotehost[sizeof(rremotehost) - 1] = 0; + hostname = rremotehost; + } else { + strncpy(rremotehost, inet_ntoa(fromp->sin_addr), + sizeof(rremotehost) - 1); + rremotehost[sizeof(rremotehost) - 1] = 0; + errorhost = hostname = rremotehost; + } #ifdef KERBEROS if (use_kerberos) { >Audit-Trail: >Unformatted: