From rdna@rdna.ru  Fri Sep 17 13:14:36 2010
Return-Path: <rdna@rdna.ru>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 52F951065694
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 17 Sep 2010 13:14:36 +0000 (UTC)
	(envelope-from rdna@rdna.ru)
Received: from mail-ew0-f54.google.com (mail-ew0-f54.google.com [209.85.215.54])
	by mx1.freebsd.org (Postfix) with ESMTP id E5F418FC0C
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 17 Sep 2010 13:14:35 +0000 (UTC)
Received: by ewy22 with SMTP id 22so1191804ewy.13
        for <FreeBSD-gnats-submit@freebsd.org>; Fri, 17 Sep 2010 06:14:35 -0700 (PDT)
Received: by 10.213.4.81 with SMTP id 17mr3844270ebq.90.1284727646057;
        Fri, 17 Sep 2010 05:47:26 -0700 (PDT)
Received: from localhost (dhcp170-128-red.yandex.net [95.108.170.128])
        by mx.google.com with ESMTPS id a48sm5687225eei.12.2010.09.17.05.47.24
        (version=TLSv1/SSLv3 cipher=RC4-MD5);
        Fri, 17 Sep 2010 05:47:25 -0700 (PDT)
Message-Id: <4c93635d.487e0e0a.167c.1f1b@mx.google.com>
Date: Fri, 17 Sep 2010 05:47:25 -0700 (PDT)
From: Andrey Ignatov <rdna@rdna.ru>
Reply-To: Andrey Ignatov <rdna@rdna.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: rshd(8): Incorrect determination of length of user name.
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         150648
>Category:       bin
>Synopsis:       [patch] rshd(8): Incorrect determination of length of user name.
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Sep 17 13:20:00 UTC 2010
>Closed-Date:    
>Last-Modified:  Sun Sep 26 21:02:11 UTC 2010
>Originator:     Andrey Ignatov
>Release:        FreeBSD 7.2-STABLE amd64
>Organization:
>Environment:
System: FreeBSD xxxxx.ru 7.2-STABLE FreeBSD 7.2-STABLE #0 r199991M: Fri Dec 18 16:02:18 MSK 2009 root@xxxxx.ru:/path/to/obj/dir/MYKERNEL amd64

>Description:
man 8 rshd:
-->
DESCRIPTION
	...
     6.   A null terminated user name of at most 16 characters is retrieved on
	  the initial socket.  This user name is interpreted as a user iden-
	  tity to use on the server's machine.
	...
DIAGNOSTICS
	...
     Ruser too long.
	     The name of the user on the remote machine is longer than 16
	     characters.
	...
<--

But user with length of name at 15 characters (15 + '\0' = 16)
can't run the command via rsh on host. He get "Ruser too long".

This bug is critical for one of my users. Length of his name is 15
characters :)

>How-To-Repeat:
1. On host1 (rsh-server):
# testuser=$(jot -b u -s "" 15)
# echo ${#testuser}
15
# pw useradd $testuser -u 12345 -c "Test user" -d /home/test -g operator -m -w no -s /bin/sh
# pw usershow $testuser
uuuuuuuuuuuuuuu:*:12345:5::0:0:Test user:/home/test:/bin/sh

2. On host2 (client):
# testuser=$(jot -b u -s "" 15)
# echo ${#testuser}
15
# pw useradd $testuser -u 12345 -c "Test user" -d /home/test -g operator -m -w no -s /bin/sh
# pw usershow $testuser
uuuuuuuuuuuuuuu:*:12345:5::0:0:Test user:/home/test:/bin/sh
# su -l $testuser
$ id
uid=12345(uuuuuuuuuuuuuuu) gid=5(operator) groups=5(operator)	
$ rsh host1 hostname
rshd: ruser too long


>Fix:

--- libexec/rshd/rshd.c.orig	2010-09-15 16:07:06.000000000 +0400
+++ libexec/rshd/rshd.c	2010-09-15 16:07:37.000000000 +0400
@@ -538,7 +538,7 @@
 		if (read(STDIN_FILENO, &c, 1) != 1)
 			exit(1);
 		*buf++ = c;
-		if (--cnt == 0)
+		if (cnt-- == 0)
 			rshd_errx(1, "%s too long", error);
 	} while (c != 0);
 }


>Release-Note:
>Audit-Trail:
>Unformatted:
