From owner-freebsd-bugs Sun May 5 7:10:23 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 2AFED37B40C for ; Sun, 5 May 2002 07:10:02 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g45EA2946464; Sun, 5 May 2002 07:10:02 -0700 (PDT) (envelope-from gnats) Received: from david.siemens.de (david.siemens.de [192.35.17.14]) by hub.freebsd.org (Postfix) with ESMTP id 2BA3E37B404 for ; Sun, 5 May 2002 07:00:51 -0700 (PDT) Received: from mail1.siemens.de (mail1.siemens.de [139.23.33.14]) by david.siemens.de (8.11.6/8.11.6) with ESMTP id g45E0n713098 for ; Sun, 5 May 2002 16:00:50 +0200 (MEST) Received: from curry.mchp.siemens.de (curry.mchp.siemens.de [139.25.42.7]) by mail1.siemens.de (8.11.6/8.11.6) with ESMTP id g45E0nU07449 for ; Sun, 5 May 2002 16:00:49 +0200 (MEST) Received: (from localhost) by curry.mchp.siemens.de (8.12.2/8.12.2) id g45E0nRl019170 for FreeBSD-gnats-submit@freebsd.org; Sun, 5 May 2002 16:00:49 +0200 (CEST) Message-Id: <200205051400.g45E0nsl087253@curry.mchp.siemens.de> Date: Sun, 5 May 2002 16:00:49 +0200 (CEST) From: Andre Albsmeier To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: bin/37766: telnetd dumps core in sra.c (char* line can't be accessed) Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 37766 >Category: bin >Synopsis: telnetd dumps core in sra.c (char* line can't be accessed) >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun May 05 07:10:01 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Andre Albsmeier >Release: FreeBSD 4.5-STABLE i386 >Organization: >Environment: System: FreeBSD 4.5-STABLE #1: Tue Apr 30 09:02:27 CEST 2002 >Description: Telnetting to a machine with -l root (no comments, please :-)) makes telnetd dump core. When replacing the whole crypto/telnet/ directory with a version from 28.3.02 the problem goes away. I assume it has to do with the infamous global "char* line". >How-To-Repeat: andre@voyager:~>telnet -l root 127.1 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Trying SRA secure login: User (root): Password: Connection closed by foreign host. andre@voyager:~> Here is the gdb output: root@voyager:/tmp/.allcores>gdb /usr/obj/src/src-4/secure/libexec/telnetd/telnetd 0-telnetd GNU gdb 4.18 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-unknown-freebsd"... Core was generated by `telnetd'. Program terminated with signal 11, Segmentation fault. Reading symbols from /usr/lib/libutil.so.3...done. Reading symbols from /usr/lib/libncurses.so.5...done. Reading symbols from /usr/lib/libmp.so.3...done. Reading symbols from /usr/lib/libcrypto.so.2...done. Reading symbols from /usr/lib/libcrypt.so.2...done. Reading symbols from /usr/lib/libpam.so.1...done. Reading symbols from /usr/lib/libc.so.4...done. Reading symbols from /usr/lib/pam_unix.so...done. Reading symbols from /usr/libexec/ld-elf.so.1...done. #0 0x281fc303 in strncmp () from /usr/lib/libc.so.4 (gdb) where #0 0x281fc303 in strncmp () from /usr/lib/libc.so.4 #1 0x28227fa4 in .curbrk () from /usr/lib/libc.so.4 #2 0x8052aac in rootterm (ttyn=0x7665642f
) at /src/src-4/secure/lib/libtelnet/../../../crypto/telnet/libtelnet/sra.c:431 #3 0x8052ca9 in check_user (name=0x805d000 "root", cred=0x805d100 "test123") at /src/src-4/secure/lib/libtelnet/../../../crypto/telnet/libtelnet/sra.c:574 #4 0x80524b1 in sra_is (ap=0x805779c, data=0x805ac24 "\0032B58CD976D30498Aÿð\n\002\b\013\002\025\f\002\027\r\002\022\016\002\026\017\002\021\020\002\023\021", cnt=17) at /src/src-4/secure/lib/libtelnet/../../../crypto/telnet/libtelnet/sra.c:206 #5 0x805050d in auth_is (data=0x805ac22 "\006", cnt=19) at /src/src-4/secure/lib/libtelnet/../../../crypto/telnet/libtelnet/auth.c:479 #6 0x804b697 in suboption () at /src/src-4/secure/libexec/telnetd/../../../crypto/telnet/telnetd/state.c:1427 #7 0x804a7bc in telrcv () at /src/src-4/secure/libexec/telnetd/../../../crypto/telnet/telnetd/state.c:338 #8 0x804e3e6 in ttloop () at /src/src-4/secure/libexec/telnetd/../../../crypto/telnet/telnetd/utility.c:88 #9 0x804fcb3 in telnet_spin () at /src/src-4/secure/libexec/telnetd/../../../crypto/telnet/telnetd/authenc.c:74 #10 0x805076e in auth_wait (name=0x805b000 "") at /src/src-4/secure/lib/libtelnet/../../../crypto/telnet/libtelnet/auth.c:572 #11 0x804cd63 in getterminaltype (name=0x805b000 "") at /src/src-4/secure/libexec/telnetd/../../../crypto/telnet/telnetd/telnetd.c:473 #12 0x804d2d1 in doit (who=0xbfbffc1c) at /src/src-4/secure/libexec/telnetd/../../../crypto/telnet/telnetd/telnetd.c:705 #13 0x804cbfe in main (argc=1, argv=0xbfbffcf4) at /src/src-4/secure/libexec/telnetd/../../../crypto/telnet/telnetd/telnetd.c:400 #14 0x8049c1d in _start () (gdb) quit >Fix: Unknown. Mark Murray might know about this since he MFC'ed the changes. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message