[2919] in Kerberos-V5-bugs
krb5-appl/587: rlogin segfaults with strcat(term,NULL) when termios c_cflag bogus
daemon@ATHENA.MIT.EDU (cml@ucdavis.edu)
Thu Apr 30 14:15:10 1998
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@RT-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, cml@ucdavis.edu
Date: Thu, 30 Apr 1998 11:04:00 -0700 (PDT)
From: cml@ucdavis.edu
Reply-To: cml@ucdavis.edu
To: krb5-bugs@MIT.EDU
>Number: 587
>Category: krb5-appl
>Synopsis: rlogin segfaults with strcat(term,NULL) when termios c_cflag bogus
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Thu Apr 30 14:06:01 EDT 1998
>Last-Modified:
>Originator: Chris Lambertus
>Organization:
Information Resources
>Release: krb5-1.0.5
>Environment:
System: SunOS zen 5.6 Generic_105181-04 sun4m sparc SUNW,SPARCstation-20
Architecture: sun4
Build: ./configure --prefix=/opt/pkg/kerberos --sbindir=/opt/pkg/kerberos/bin --enable-shared
Compiler: SUNWspro
>Description:
A bug in Solaris CDE causes the termios struct to be filled in
with a bogus baud rate of 88824, which does not match in krlogin.c's
speeds[] array. If POSIX_TERMIOS is defined (true for Solaris)
cfgetospeed(&ttyb) returns '29', which causes speeds[ospeed] to
reference null. strcat(term,NULL) then causes segfault.
>How-To-Repeat:
Pathological condition with Solaris CDE. Log in on a Solaris machine
running CDE in failsafe mode without resetting speed via stty.
Check speed with stty. If it says
ispeed 88840 baud; ospeed 88824 baud;
rlogin will segfault. I don't know of any way to purposely subvert
the termios struct. Sun has an open bugID on this problem.
>Fix:
Workaround for Solaris: stty 9600
Fix in code: Make the c_cflag to human readable speed be a separate routine
that falls through to 9600 if the baud rate doesn't match. This is the way
Linux's netkit-rsh handles the situation, and seems to be a fairly elegant
solution.
>Audit-Trail:
>Unformatted:
no
if termios_p->c_cflag &'s against a bogus baud rate, rlogin can crash
serious
low
sw-bug
