From cmlambertus@ucdavis.edu  Thu Apr 30 14:05:08 1998
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id OAA15348 for <bugs@RT-11.MIT.EDU>; Thu, 30 Apr 1998 14:04:55 -0400
Received: from zen.ucdavis.edu by MIT.EDU with SMTP
	id AA11420; Thu, 30 Apr 98 14:04:08 EDT
Received: (from cml@localhost)
	by zen.ucdavis.edu (8.8.8/UCD3.11.30) id LAA05877;
	Thu, 30 Apr 1998 11:04:00 -0700 (PDT)
Message-Id: <199804301804.LAA05877@zen.ucdavis.edu>
Date: Thu, 30 Apr 1998 11:04:00 -0700 (PDT)
From: cml@ucdavis.edu
Reply-To: cml@ucdavis.edu
To: krb5-bugs@MIT.EDU
Subject: rlogin segfaults with strcat(term,NULL) when termios c_cflag bogus
X-Send-Pr-Version: 3.99

>Number:         587
>Category:       krb5-appl
>Synopsis:       rlogin segfaults with strcat(term,NULL) when termios c_cflag bogus
>Confidential:   yes
>Severity:       serious
>Priority:       medium
>Responsible:    krb5-unassigned
>State:          open
>Class:          sw-bug
>Submitter-Id:   unknown
>Arrival-Date:   Thu Apr 30 14:06:01 EDT 1998
>Last-Modified:
>Originator:     Chris Lambertus
>Organization:
Information Resources
>Release:        krb5-1.0.5
>Environment:
	
System: SunOS zen 5.6 Generic_105181-04 sun4m sparc SUNW,SPARCstation-20
Architecture: sun4
Build: ./configure --prefix=/opt/pkg/kerberos --sbindir=/opt/pkg/kerberos/bin --enable-shared
Compiler: SUNWspro

>Description:
	
A bug in Solaris CDE causes the termios struct to be filled in
with a bogus baud rate of 88824, which does not match in krlogin.c's
speeds[] array. If POSIX_TERMIOS is defined (true for Solaris)
cfgetospeed(&ttyb) returns '29', which causes speeds[ospeed] to
reference null. strcat(term,NULL) then causes segfault.
>How-To-Repeat:
	
Pathological condition with Solaris CDE. Log in on a Solaris machine
running CDE in failsafe mode without resetting speed via stty.
Check speed with stty. If it says
ispeed 88840 baud; ospeed 88824 baud; 
rlogin will segfault. I don't know of any way to purposely subvert
the termios struct. Sun has an open bugID on this problem.
>Fix:
	
Workaround for Solaris: stty 9600
Fix in code: Make the c_cflag to human readable speed be a separate routine
that falls through to 9600 if the baud rate doesn't match. This is the way
Linux's netkit-rsh handles the situation, and seems to be a fairly elegant
solution.
>Audit-Trail:
>Unformatted:
no
if termios_p->c_cflag &'s against a bogus baud rate, rlogin can crash
serious
low
sw-bug