Skip Menu |

Download (untitled) / with headers
text/plain 2.4KiB
From Thu Apr 30 14:05:08 1998
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU []) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id OAA15348 for <bugs@RT-11.MIT.EDU>; Thu, 30 Apr 1998 14:04:55 -0400
Received: from by MIT.EDU with SMTP
id AA11420; Thu, 30 Apr 98 14:04:08 EDT
Received: (from cml@localhost)
by (8.8.8/UCD3.11.30) id LAA05877;
Thu, 30 Apr 1998 11:04:00 -0700 (PDT)
Message-Id: <>
Date: Thu, 30 Apr 1998 11:04:00 -0700 (PDT)
To: krb5-bugs@MIT.EDU
Subject: rlogin segfaults with strcat(term,NULL) when termios c_cflag bogus
X-Send-Pr-Version: 3.99

Show quoted text
>Number: 587
>Category: krb5-appl
>Synopsis: rlogin segfaults with strcat(term,NULL) when termios c_cflag bogus
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Thu Apr 30 14:06:01 EDT 1998
>Originator: Chris Lambertus
Information Resources
Show quoted text
>Release: krb5-1.0.5

System: SunOS zen 5.6 Generic_105181-04 sun4m sparc SUNW,SPARCstation-20
Architecture: sun4
Build: ./configure --prefix=/opt/pkg/kerberos --sbindir=/opt/pkg/kerberos/bin --enable-shared
Compiler: SUNWspro

Show quoted text

A bug in Solaris CDE causes the termios struct to be filled in
with a bogus baud rate of 88824, which does not match in krlogin.c's
speeds[] array. If POSIX_TERMIOS is defined (true for Solaris)
cfgetospeed(&ttyb) returns '29', which causes speeds[ospeed] to
reference null. strcat(term,NULL) then causes segfault.
Show quoted text

Pathological condition with Solaris CDE. Log in on a Solaris machine
running CDE in failsafe mode without resetting speed via stty.
Check speed with stty. If it says
ispeed 88840 baud; ospeed 88824 baud;
rlogin will segfault. I don't know of any way to purposely subvert
the termios struct. Sun has an open bugID on this problem.
Show quoted text

Workaround for Solaris: stty 9600
Fix in code: Make the c_cflag to human readable speed be a separate routine
that falls through to 9600 if the baud rate doesn't match. This is the way
Linux's netkit-rsh handles the situation, and seems to be a fairly elegant
Show quoted text
if termios_p->c_cflag &'s against a bogus baud rate, rlogin can crash
Subject: rlogin segfaults with strcat(term,NULL) when termios c_cflag bogus
I believe this was fixed back in the 1.1 release.