From geminix.snafu.de!gemini@unlisys.NET  Tue May 28 15:08:12 1996
Received: from who.cdrom.com (who.cdrom.com [204.216.27.3])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id PAA05580
          for <FreeBSD-gnats-submit@freebsd.org>; Tue, 28 May 1996 15:08:11 -0700 (PDT)
Received: from unlisys.unlisys.NET (unlisys.unlisys.net [194.64.15.1])
          by who.cdrom.com (8.6.12/8.6.11) with SMTP id NAA07844
          for <FreeBSD-gnats-submit@freebsd.org>; Tue, 28 May 1996 13:06:48 -0700
Received: by unlisys.unlisys.NET from geminix.snafu.de with bsmtp
	  (Smail3.1.28.1 [@@])  id m0uOREi-000aBDC; Tue, 28 May 96 18:03 MET DST
Received: by geminix.snafu.de (Smail3.1.29.1)
	  id <m0uOLmh-0009ahC>; Tue, 28 May 96 12:13 MET DST
Message-Id: <m0uOLmh-0009ahC@geminix.snafu.de>
Date: Tue, 28 May 96 12:13 MET DST
From: gemini@geminix.snafu.de
Reply-To: gemini@who.cdrom.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: Bug in rshd
X-Send-Pr-Version: 3.2

>Number:         1273
>Category:       bin
>Synopsis:       remote hostname gets corrupted in rshd
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue May 28 15:10:02 PDT 1996
>Closed-Date:    Tue Oct 22 14:12:17 PDT 1996
>Last-Modified:  Tue Oct 22 14:12:48 PDT 1996
>Originator:     Uwe Doering
>Release:        FreeBSD 2.1-STABLE i386
>Organization:
>Environment:

	

>Description:
After rshd looked up the remote host name by calling gethostbyaddr(),
it calls iruserok() which internaly calls gethostbyaddr() as well
and therefore corrupts the host name returned by the first call to
this function.

>How-To-Repeat:
From a machine that is neither in /etc/hosts.equiv nor in ~/.rhosts,
`rsh -K' to a host running FreeBSD 2.1R or -stable and look at the
remote host name in the `permission denied' line in /var/log/messages.
It's very likely wrong, corrupted or missing at all.

>Fix:
Copy the remote host name into a private buffer so that it is
protected from network library functions.

Here's the fix:

--- rshd.c-dist	Sat Sep  2 16:40:24 1995
+++ rshd.c	Thu May 23 14:04:46 1996
@@ -200,6 +200,7 @@
 	char *cp, sig, buf[BUFSIZ];
 	char cmdbuf[NCARGS+1], locuser[16], remuser[16];
 	char remotehost[2 * MAXHOSTNAMELEN + 1];
+	char rremotehost[2 * MAXHOSTNAMELEN + 1];
 
 #ifdef	KERBEROS
 	AUTH_DAT	*kdata = (AUTH_DAT *) NULL;
@@ -332,13 +333,13 @@
 		 * address corresponds to the name.
 		 */
 		hostname = hp->h_name;
+		strncpy(remotehost, hp->h_name, sizeof(remotehost) - 1);
+		remotehost[sizeof(remotehost) - 1] = 0;
+		errorhost = remotehost;
 #ifdef	KERBEROS
 		if (!use_kerberos)
 #endif
 		if (check_all || local_domain(hp->h_name)) {
-			strncpy(remotehost, hp->h_name, sizeof(remotehost) - 1);
-			remotehost[sizeof(remotehost) - 1] = 0;
-			errorhost = remotehost;
 			hp = gethostbyname(remotehost);
 			if (hp == NULL) {
 				syslog(LOG_INFO,
@@ -366,8 +367,15 @@
 				}
 			}
 		}
-	} else
-		errorhost = hostname = inet_ntoa(fromp->sin_addr);
+		strncpy(rremotehost, hostname, sizeof(rremotehost) - 1);
+		rremotehost[sizeof(rremotehost) - 1] = 0;
+		hostname = rremotehost;
+	} else {
+		strncpy(rremotehost, inet_ntoa(fromp->sin_addr),
+			sizeof(rremotehost) - 1);
+		rremotehost[sizeof(rremotehost) - 1] = 0;
+		errorhost = hostname = rremotehost;
+	}
 
 #ifdef	KERBEROS
 	if (use_kerberos) {
>Release-Note:
>Audit-Trail:

From: J Wunsch <j@uriah.heep.sax.de>
To: FreeBSD-gnats-submit@freebsd.org
Cc:  Subject: Re: bin/1273
Date: Thu, 18 Jul 1996 12:31:04 +0200 (MET DST)

 See also the duplicate bin/1395 for an alternate solution.
State-Changed-From-To: open->feedback 
State-Changed-By: scrappy 
State-Changed-When: Mon Oct 21 22:37:46 PDT 1996 
State-Changed-Why:  

confirm status (have tested it, and it seems to work okay) 

State-Changed-From-To: feedback->closed 
State-Changed-By: scrappy 
State-Changed-When: Tue Oct 22 14:12:17 PDT 1996 
State-Changed-Why:  

Fixed in rshd.c:Rev 1.9 
>Unformatted:
