[3099] in Kerberos-V5-bugs
krb5-appl/740: Segmentation Fault in rlogin
daemon@ATHENA.MIT.EDU (jw3251@pbis.com)
Wed Aug 11 22:48:07 1999
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@RT-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, jw3251@pbis.com
Message-Id: <199908120247.TAA29292@delphi.pbis.com>
Date: Wed, 11 Aug 1999 19:47:25 -0700 (PDT)
From: jw3251@pbis.com
Reply-To: jw3251@pbis.com
To: krb5-bugs@MIT.EDU
>Number: 740
>Category: krb5-appl
>Synopsis: Segmentation Fault in rlogin
>Confidential: no
>Severity: critical
>Priority: low
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Wed Aug 11 22:48:01 EDT 1999
>Last-Modified:
>Originator: James A. Walker
>Organization:
Pacific Bell Information Services
>Release: krb5-1.0.6
>Environment:
System: SunOS delphi 5.6 Generic_105181-15 sun4u sparc SUNW,Ultra-2
Machine: SUN UltraSPARC-2
OS: SUN Solaris 2.6 (SunOS 5.6)
Target: SUN UltraSPARC-2, SUN Solaris 2.6 (SunOS 5.6)
Architecture: sun4
>Description:
After making and installing krb5-1.0.6, I configured and installed the
master KDC and two slaves. The applications rsh, telnet, ksu, etc. all
worked as expected, with the exception of rlogin. Whenever a user attempted
to use rlogin a segmentation fault occured. I re-made rlogin with debug, and
run under the SUN Workshop debugger to find that a value of 29 was being
returned into "ospeed" in the krlogin module. Since only 21 entries were
to be found in the speeds array, an attempt to read past the end of speeds
was occuring. I modified (see below) the if statement that checked if the
ospeed value should be used directly or as a table lookup to use the ospeed
directly if the ospeed value was greater or equal to the number of entries
in speeds, rather than the original fixed value of 50.
>How-To-Repeat:
Make and install on SUN/Solaris 2.6 using the SUN C Workshop compiler. Find
below the configure command used:
*************
./configure --prefix=/opt/PBISkrb5 --localstatedir=/var --with-cc=/opt/SUNWspro/bin/cc --with-ccopts=-xO4 --with-krb4 --without-tcl --enable-shared
*************
>Fix:
*** appl/bsd/krlogin.c~ Mon May 10 20:33:00 1999
--- appl/bsd/krlogin.c Thu Aug 5 18:31:31 1999
***************
*** 517,523 ****
int ospeed = cfgetospeed (&ttyb);
(void) strcat(term, "/");
! if (ospeed >= 50)
/* On some systems, ospeed is the baud rate itself,
not a table index. */
sprintf (term + strlen (term), "%d", ospeed);
--- 517,526 ----
int ospeed = cfgetospeed (&ttyb);
(void) strcat(term, "/");
! /* this sometimes failed when speed was < 50 but greater than array */
! /* Changed by James A. Walker */
! /* if (ospeed >= 50) */
! if (ospeed >= sizeof(speeds)/sizeof(char *))
/* On some systems, ospeed is the baud rate itself,
not a table index. */
sprintf (term + strlen (term), "%d", ospeed);
>Audit-Trail:
>Unformatted:
