[3077] in Kerberos-V5-bugs
pending/718: Standard output/error lossage in encrypted rsh
daemon@ATHENA.MIT.EDU (Robert A Basch)
Wed Jun 2 16:51:19 1999
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: gnats-admin@rt-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, Robert A Basch <rbasch@MIT.EDU>
Message-Id: <199906022050.UAA30969@boom.mit.edu>
Date: Wed, 02 Jun 1999 16:50:52 -0400
From: Robert A Basch <rbasch@MIT.EDU>
To: source-reviewers@MIT.EDU
Cc: krb5-bugs@MIT.EDU
>Number: 718
>Category: pending
>Synopsis: Standard output/error lossage in encrypted rsh
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: gnats-admin
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Jun 02 16:51:00 EDT 1999
>Last-Modified:
>Originator:
>Organization:
>Release:
>Environment:
>Description:
>How-To-Repeat:
>Fix:
>Audit-Trail:
>Unformatted:
In an encrypted rsh session, standard output (or error) data can be
dropped, if the remote end sends a large amount of data. The bug
can be reproduced by doing:
rsh -x <host> cat <file>
where <file> is larger than 4096 bytes; data following byte 4096 is
frequently dropped.
The problem is that v5_des_read(), in kcmd.c, will buffer data when it
reads more than the caller's buffer will hold. But the calling code
has no way of knowing that there is more data available; it only uses
select() to check the descriptor itself. Making matters worse, both
the output and error descriptors are handled this way, but v5_des_read()
uses static variables to remember state.
A real fix for this seems to involve more rearchitecting of the code
than I care to do, so this patch works around the problem by
increasing the caller's buffer size from 4096 to 8192 bytes. Since
the sender's max send size is 5120, this ensures that v5_des_read()
won't read more than the caller's buffer can hold.
Index: third/krb5/src/appl/bsd/krsh.c
===================================================================
RCS file: /afs/dev.mit.edu/source/repository/third/krb5/src/appl/bsd/krsh.c,v
retrieving revision 1.2
diff -c -r1.2 krsh.c
*** krsh.c 1997/10/19 03:44:29 1.2
--- krsh.c 1999/06/02 18:52:01
***************
*** 88,94 ****
#define UCB_RSH "/usr/ucb/rsh"
#endif
! #define RSH_BUFSIZ 4096
krb5_context bsd_context;
krb5_creds *cred;
--- 88,94 ----
#define UCB_RSH "/usr/ucb/rsh"
#endif
! #define RSH_BUFSIZ 8192
krb5_context bsd_context;
krb5_creds *cred;
