bin/150648: rshd(8): Incorrect determination of length of user name.
Andrey Ignatov
rdna at rdna.ru
Fri Sep 17 13:20:02 UTC 2010
>Number: 150648
>Category: bin
>Synopsis: rshd(8): Incorrect determination of length of user name.
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Sep 17 13:20:00 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Andrey Ignatov
>Release: FreeBSD 7.2-STABLE amd64
>Organization:
>Environment:
System: FreeBSD xxxxx.ru 7.2-STABLE FreeBSD 7.2-STABLE #0 r199991M: Fri Dec 18 16:02:18 MSK 2009 root at xxxxx.ru:/path/to/obj/dir/MYKERNEL amd64
>Description:
man 8 rshd:
-->
DESCRIPTION
...
6. A null terminated user name of at most 16 characters is retrieved on
the initial socket. This user name is interpreted as a user iden-
tity to use on the server's machine.
...
DIAGNOSTICS
...
Ruser too long.
The name of the user on the remote machine is longer than 16
characters.
...
<--
But user with length of name at 15 characters (15 + '\0' = 16)
can't run the command via rsh on host. He get "Ruser too long".
This bug is critical for one of my users. Length of his name is 15
characters :)
>How-To-Repeat:
1. On host1 (rsh-server):
# testuser=$(jot -b u -s "" 15)
# echo ${#testuser}
15
# pw useradd $testuser -u 12345 -c "Test user" -d /home/test -g operator -m -w no -s /bin/sh
# pw usershow $testuser
uuuuuuuuuuuuuuu:*:12345:5::0:0:Test user:/home/test:/bin/sh
2. On host2 (client):
# testuser=$(jot -b u -s "" 15)
# echo ${#testuser}
15
# pw useradd $testuser -u 12345 -c "Test user" -d /home/test -g operator -m -w no -s /bin/sh
# pw usershow $testuser
uuuuuuuuuuuuuuu:*:12345:5::0:0:Test user:/home/test:/bin/sh
# su -l $testuser
$ id
uid=12345(uuuuuuuuuuuuuuu) gid=5(operator) groups=5(operator)
$ rsh host1 hostname
rshd: ruser too long
>Fix:
--- libexec/rshd/rshd.c.orig 2010-09-15 16:07:06.000000000 +0400
+++ libexec/rshd/rshd.c 2010-09-15 16:07:37.000000000 +0400
@@ -538,7 +538,7 @@
if (read(STDIN_FILENO, &c, 1) != 1)
exit(1);
*buf++ = c;
- if (--cnt == 0)
+ if (cnt-- == 0)
rshd_errx(1, "%s too long", error);
} while (c != 0);
}
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list