From dan@fio.cz  Tue May  5 17:13:31 1998
Received: from fio.cz (phb93.vol.cz [195.250.152.222])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA14917
          for <FreeBSD-gnats-submit@freebsd.org>; Tue, 5 May 1998 17:13:25 -0700 (PDT)
          (envelope-from dan@fio.cz)
Received: (from dan@localhost)
	by danio.cz (8.8.8/8.8.8) id VAA03558;
	Tue, 5 May 1998 21:41:03 GMT
	(envelope-from dan)
Message-Id: <199805052141.VAA03558@danio.cz>
Date: Tue, 5 May 1998 21:41:03 GMT
From: dan@obluda.cz
Reply-To: dan@obluda.cz
To: FreeBSD-gnats-submit@freebsd.org
Subject: potential timing problem with login after bad password given  
X-Send-Pr-Version: 3.2

>Number:         6529
>Category:       bin
>Synopsis:       [ALMOST PATCH] potential timing problem with login after bad password given
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue May  5 17:20:01 PDT 1998
>Closed-Date:    Sun Aug 16 20:28:11 PDT 1998
>Last-Modified:  Sun Aug 16 20:29:06 PDT 1998
>Originator:     Dan Lukes
>Release:        FreeBSD 2.2.6-RELEASE i386
>Organization:
Dan Lukes 
>Environment:

	no special environment settings, standard instalation	
	"$Id: login.c,v 1.12.2.9 1998/02/18 12:07:42 markm Exp $"

>Description:

/usr.sbin/login/login.c:

The variable "backoff" is initialized (source line 267) from login-backoff tag
of login capabilities database or (source line 272) from DEFAULT_BACKOFF
(=3, see line 123). 

Imagine than an user give a bad password and see source line 513.
If "cnt" variable (number of attempts) is greater than "backoff" then 
sleep is called. The problem is with sleep argument. ((cnt - 3) * 5) can 
be negative number if "backoff" is less than 2. If login capabilities
database/login-backoff tag is set to less than 2 by administrator and user
give bad password then sleep on line 518 cause to sleep until login
timeout-ed (or SIGINT or SIGQUIT).

Similar situation occur if the #define DEFAULT_BACKOFF (line 272) will be
changed to 1 or less and apropriate tag isn't present or login capabilities 
functions aren't compiled in.

IMHO, this inconsistence is related to adding of login_capabilities_database
support to login program, but this part of program remain intact with
old coded-in constants.

>How-To-Repeat:

Add :login-backoff=1: tag to /etc/login.conf, class default, (re)start 
login program on a tty and try login with bad password (two attempts).
login will sleep until SIGINT, SIGQUIT or login timeout.

>Fix:
	
Change line 518 of login.c from
                        sleep((u_int)((cnt - 3) * 5));
to
                        sleep((u_int)((cnt - backoff) * 5));

Recompile and reinstall login program.

The workaround is set the login-backoff tag to 3 or more or remove this tag
from login.conf database.

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->suspended 
State-Changed-By: phk 
State-Changed-When: Wed May 6 02:16:36 PDT 1998 
State-Changed-Why:  
Needs to find its committer... 
State-Changed-From-To: suspended->closed 
State-Changed-By: jkoshy 
State-Changed-When: Sun Aug 16 20:28:11 PDT 1998 
State-Changed-Why:  
Fixedin rev 1.38 of "src/usr.bin/login/login.c", thanks! 
>Unformatted:
