Skip Menu |
 

Download (untitled) / with headers
text/plain 3.8KiB
From kenh@cmf.nrl.navy.mil Sun Jan 26 14:48:33 1997
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id OAA26958 for <bugs@RT-11.MIT.EDU>; Sun, 26 Jan 1997 14:48:32 -0500
Received: from [134.207.10.161] by MIT.EDU with SMTP
id AA16782; Sun, 26 Jan 97 14:48:31 EST
Received: from nexus.cmf.nrl.navy.mil (kenh@nexus.cmf.nrl.navy.mil [134.207.10.9]) by ginger.cmf.nrl.navy.mil (8.7.5/8.7.3) with ESMTP id OAA20328 for <krb5-bugs@mit.edu>; Sun, 26 Jan 1997 14:48:24 -0500 (EST)
Received: (kenh@localhost) by nexus.cmf.nrl.navy.mil (8.7.5/8.6.11) id OAA18259; Sun, 26 Jan 1997 14:48:28 -0500 (EST)
Message-Id: <199701261948.OAA18259@nexus.cmf.nrl.navy.mil>
Date: Sun, 26 Jan 1997 14:48:28 -0500 (EST)
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Reply-To: kenh@cmf.nrl.navy.mil
To: krb5-bugs@MIT.EDU
Subject: IRIX bug in pty packet mode handling causes mangled login prompt
X-Send-Pr-Version: 3.99

Show quoted text
>Number: 353
>Category: krb5-appl
>Synopsis: A bug in IRIX pty packet mode handling cases a mangled login prompt
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: krb5-unassigned
>State: open
>Class: change-request
>Submitter-Id: unknown
>Arrival-Date: Sun Jan 26 14:49:01 EST 1997
>Last-Modified:
>Originator: Ken Hornstein
>Organization:
Navel Research Lab

Show quoted text
>Release: 1.0
>Environment:

System: IRIX borg 5.3
Architecture: mips

Show quoted text
>Description:

There is a bug in IRIX w.r.t. pty packet mode. The gist of the bug is that
if data is written to a slave _before_ a pty is switched into packet mode,
it will be output on the master without a control byte even if the master
gets switched into packet mode later.

So, how does this affect Kerberos 5? This generates a race condition with
the Kerberos login program and telnetd. If the login program prints a
prompt before telnetd switches the master pty into packet mode, then
the first character will get eaten. This becomes more noticable if you
remove the "sleep(2)" inside of the login program.

While normally this just results in a "ogin: " prompt, depending on your
telnet client you can occasionally get a "assword for user:" prompt, which
is ... unexpected at best, and potentially insulting at worst :-)
Show quoted text
>How-To-Repeat:

Run the Kerberos login/telnetd under Irix for a while. Or use this example
program to demonstrate the bug (yes, it's a gross program, but what do
you expect for a five-minute hack? :-) ).

#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <termios.h>

int
main(int argc, char *argv[])
{
char *master = NULL;
char *slave;
int masterfd, slavefd, i = 1;
char buf[256];

#ifdef sgi

slave = _getpty(&masterfd, O_RDWR|O_NDELAY, 0600, 0);

if (! slave) {
fprintf(stderr, "Cannot get pty, exiting\n");
exit(1);
}

if ((slavefd = open(slave, O_RDWR)) < 0) {
fprintf(stderr, "Cannot open slave, exiting\n");
exit(1);
}
#else
master = "/dev/ptyr0";
slave = "/dev/ttyr0";

if ((masterfd = open(master, O_RDWR|O_NDELAY, 0600)) < 0) {
fprintf(stderr, "Cannot open master, exiting\n");
exit(1);
}

if ((slavefd = open(slave, O_RDWR|O_NDELAY, 0600)) < 0) {
fprintf(stderr, "Cannot open slave, exiting\n");
exit(1);
}
#endif
if (master)
printf("master pty = %s\n", master);
printf("slave pty = %s\n", slave);

printf("Writing data on slave pty ...\n");

write (slavefd, "hello", strlen("hello"));

printf("Switching master into packet mode...\n");

ioctl(masterfd, TIOCPKT, &i);

printf("Reading data from master ...\n");

i = read(masterfd, buf, 999);

printf("I got %d bytes, first byte was %02x\n", i, buf[0]);

exit(0);
}
Show quoted text
>Fix:

My solution was to add an "#ifdef sgi ... fputc('\0') ... #endif" at the
appropriate spots in login. I'm not sure what the right thing to do is.
Show quoted text
>Audit-Trail:
>Unformatted: