[2868] in Kerberos-V5-bugs
pty/539: pty_getpty() broken under BSD
daemon@ATHENA.MIT.EDU (Ken Dahl)
Tue Jan 27 14:08:08 1998
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: hartmans@MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, ken@lassa.kwd.com
Date: Tue, 27 Jan 1998 14:05:57 -0500 (EST)
From: Ken Dahl <ken@lassa.kwd.com>
Reply-To: ken@lassa.kwd.com
To: krb5-bugs@MIT.EDU
>Number: 539
>Category: pty
>Synopsis: pty_getpty() broken under BSD
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: hartmans
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Tue Jan 27 14:07:03 EST 1998
>Last-Modified:
>Originator: Ken Dahl
>Organization:
>Release: krb5-1.0.4
>Environment:
System: BSD/OS lassa.kwd.com 3.1 BSDI BSD/OS 3.1 Kernel #6: Mon Nov 3 10:24:17 EST 1997 ken@lassa.kwd.com:/usr/src/sys/compile/LASSA i386
>Description:
There are off-by-one errors in pty_getpty() caused by use of
sizeof rather than strlen. I have made a patch that uses numeric
constants instead of either sizeof or strlen since I find the constants
to be just as readble, AND unambiguous. The patch is based on working
kerberosIV source from BSDI.
>How-To-Repeat:
>Fix:
*** src/util/pty/getpty.c.orig Tue Jan 27 13:19:07 1998
--- src/util/pty/getpty.c Tue Jan 27 13:47:48 1998
***************
*** 109,127 ****
strncpy(slave, slavebuf, slavelength);
return 0;
} else {
for (cp = "pqrstuvwxyzPQRST";*cp; cp++) {
! sprintf(slavebuf,"/dev/ptyXX");
! slavebuf[sizeof("/dev/pty")] = *cp;
! slavebuf[sizeof("/dev/ptyp")] = '0';
if (stat(slavebuf, &stb) < 0)
break;
for (i = 0; i < 16; i++) {
! slavebuf[sizeof("/dev/ptyp") - 1] = "0123456789abcdef"[i];
*fd = open(slavebuf, O_RDWR);
if (*fd < 0) continue;
/* got pty */
! slavebuf[strlen("/dev/")] = 't';
if (strlen(slavebuf) > slavelength -1) {
close(*fd);
*fd = -1;
--- 109,132 ----
strncpy(slave, slavebuf, slavelength);
return 0;
} else {
+ char *p1, *p2;
+
+ sprintf(slavebuf,"/dev/ptyXX");
+ p1 = &slavebuf[8];
+ p2 = &slavebuf[9];
+
for (cp = "pqrstuvwxyzPQRST";*cp; cp++) {
! *p1 = *cp;
! *p2 = '0';
if (stat(slavebuf, &stb) < 0)
break;
for (i = 0; i < 16; i++) {
! *p2 = "0123456789abcdef"[i];
*fd = open(slavebuf, O_RDWR);
if (*fd < 0) continue;
/* got pty */
! slavebuf[5] = 't';
if (strlen(slavebuf) > slavelength -1) {
close(*fd);
*fd = -1;
>Audit-Trail:
>Unformatted:
