From cmlambertus@ucdavis.edu Thu Apr 30 14:05:08 1998
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id OAA15348 for <bugs@RT-11.MIT.EDU>; Thu, 30 Apr 1998 14:04:55 -0400
Received: from zen.ucdavis.edu by MIT.EDU with SMTP
id AA11420; Thu, 30 Apr 98 14:04:08 EDT
Received: (from cml@localhost)
by zen.ucdavis.edu (8.8.8/UCD3.11.30) id LAA05877;
Thu, 30 Apr 1998 11:04:00 -0700 (PDT)
Message-Id: <199804301804.LAA05877@zen.ucdavis.edu>
Date: Thu, 30 Apr 1998 11:04:00 -0700 (PDT)
From: cml@ucdavis.edu
Reply-To: cml@ucdavis.edu
To: krb5-bugs@MIT.EDU
Subject: rlogin segfaults with strcat(term,NULL) when termios c_cflag bogus
X-Send-Pr-Version: 3.99
System: SunOS zen 5.6 Generic_105181-04 sun4m sparc SUNW,SPARCstation-20
Architecture: sun4
Build: ./configure --prefix=/opt/pkg/kerberos --sbindir=/opt/pkg/kerberos/bin --enable-shared
Compiler: SUNWspro
A bug in Solaris CDE causes the termios struct to be filled in
with a bogus baud rate of 88824, which does not match in krlogin.c's
speeds[] array. If POSIX_TERMIOS is defined (true for Solaris)
cfgetospeed(&ttyb) returns '29', which causes speeds[ospeed] to
reference null. strcat(term,NULL) then causes segfault.
Pathological condition with Solaris CDE. Log in on a Solaris machine
running CDE in failsafe mode without resetting speed via stty.
Check speed with stty. If it says
ispeed 88840 baud; ospeed 88824 baud;
rlogin will segfault. I don't know of any way to purposely subvert
the termios struct. Sun has an open bugID on this problem.
Workaround for Solaris: stty 9600
Fix in code: Make the c_cflag to human readable speed be a separate routine
that falls through to 9600 if the baud rate doesn't match. This is the way
Linux's netkit-rsh handles the situation, and seems to be a fairly elegant
solution.
if termios_p->c_cflag &'s against a bogus baud rate, rlogin can crash
serious
low
sw-bug
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id OAA15348 for <bugs@RT-11.MIT.EDU>; Thu, 30 Apr 1998 14:04:55 -0400
Received: from zen.ucdavis.edu by MIT.EDU with SMTP
id AA11420; Thu, 30 Apr 98 14:04:08 EDT
Received: (from cml@localhost)
by zen.ucdavis.edu (8.8.8/UCD3.11.30) id LAA05877;
Thu, 30 Apr 1998 11:04:00 -0700 (PDT)
Message-Id: <199804301804.LAA05877@zen.ucdavis.edu>
Date: Thu, 30 Apr 1998 11:04:00 -0700 (PDT)
From: cml@ucdavis.edu
Reply-To: cml@ucdavis.edu
To: krb5-bugs@MIT.EDU
Subject: rlogin segfaults with strcat(term,NULL) when termios c_cflag bogus
X-Send-Pr-Version: 3.99
Show quoted text
>Number: 587
>Category: krb5-appl
>Synopsis: rlogin segfaults with strcat(term,NULL) when termios c_cflag bogus
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Thu Apr 30 14:06:01 EDT 1998
>Last-Modified:
>Originator: Chris Lambertus
>Organization:
Information Resources>Category: krb5-appl
>Synopsis: rlogin segfaults with strcat(term,NULL) when termios c_cflag bogus
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Thu Apr 30 14:06:01 EDT 1998
>Last-Modified:
>Originator: Chris Lambertus
>Organization:
Show quoted text
>Release: krb5-1.0.5
>Environment:
>Environment:
System: SunOS zen 5.6 Generic_105181-04 sun4m sparc SUNW,SPARCstation-20
Architecture: sun4
Build: ./configure --prefix=/opt/pkg/kerberos --sbindir=/opt/pkg/kerberos/bin --enable-shared
Compiler: SUNWspro
Show quoted text
>Description:
A bug in Solaris CDE causes the termios struct to be filled in
with a bogus baud rate of 88824, which does not match in krlogin.c's
speeds[] array. If POSIX_TERMIOS is defined (true for Solaris)
cfgetospeed(&ttyb) returns '29', which causes speeds[ospeed] to
reference null. strcat(term,NULL) then causes segfault.
Show quoted text
>How-To-Repeat:
Pathological condition with Solaris CDE. Log in on a Solaris machine
running CDE in failsafe mode without resetting speed via stty.
Check speed with stty. If it says
ispeed 88840 baud; ospeed 88824 baud;
rlogin will segfault. I don't know of any way to purposely subvert
the termios struct. Sun has an open bugID on this problem.
Show quoted text
>Fix:
Workaround for Solaris: stty 9600
Fix in code: Make the c_cflag to human readable speed be a separate routine
that falls through to 9600 if the baud rate doesn't match. This is the way
Linux's netkit-rsh handles the situation, and seems to be a fairly elegant
solution.
Show quoted text
>Audit-Trail:
>Unformatted:
no>Unformatted:
if termios_p->c_cflag &'s against a bogus baud rate, rlogin can crash
serious
low
sw-bug