Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 5 May 2002 16:00:49 +0200 (CEST)
From:      Andre Albsmeier <andre.albsmeier@mchp.siemens.de>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   bin/37766: telnetd dumps core in sra.c (char* line can't be accessed)
Message-ID:  <200205051400.g45E0nsl087253@curry.mchp.siemens.de>
next in thread | raw e-mail | index | archive | help 

>Number:         37766
>Category:       bin
>Synopsis:       telnetd dumps core in sra.c (char* line can't be accessed)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun May 05 07:10:01 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:     Andre Albsmeier
>Release:        FreeBSD 4.5-STABLE i386
>Organization:
>Environment:

System: FreeBSD 4.5-STABLE #1: Tue Apr 30 09:02:27 CEST 2002


>Description:

Telnetting to a machine with -l root (no comments, please :-)) makes
telnetd dump core. When replacing the whole crypto/telnet/ directory with
a version from 28.3.02 the problem goes away. I assume it has to do with
the infamous global "char* line".


>How-To-Repeat:

andre@voyager:~>telnet -l root 127.1
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Trying SRA secure login:
User (root): 
Password: 
Connection closed by foreign host.
andre@voyager:~>


Here is the gdb output:

root@voyager:/tmp/.allcores>gdb /usr/obj/src/src-4/secure/libexec/telnetd/telnetd 0-telnetd
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd"...
Core was generated by `telnetd'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib/libutil.so.3...done.
Reading symbols from /usr/lib/libncurses.so.5...done.
Reading symbols from /usr/lib/libmp.so.3...done.
Reading symbols from /usr/lib/libcrypto.so.2...done.
Reading symbols from /usr/lib/libcrypt.so.2...done.
Reading symbols from /usr/lib/libpam.so.1...done.
Reading symbols from /usr/lib/libc.so.4...done.
Reading symbols from /usr/lib/pam_unix.so...done.
Reading symbols from /usr/libexec/ld-elf.so.1...done.
#0  0x281fc303 in strncmp () from /usr/lib/libc.so.4
(gdb) where
#0  0x281fc303 in strncmp () from /usr/lib/libc.so.4
#1  0x28227fa4 in .curbrk () from /usr/lib/libc.so.4
#2  0x8052aac in rootterm (ttyn=0x7665642f <Address 0x7665642f out of bounds>)
    at /src/src-4/secure/lib/libtelnet/../../../crypto/telnet/libtelnet/sra.c:431
#3  0x8052ca9 in check_user (name=0x805d000 "root", cred=0x805d100 "test123")
    at /src/src-4/secure/lib/libtelnet/../../../crypto/telnet/libtelnet/sra.c:574
#4  0x80524b1 in sra_is (ap=0x805779c, 
    data=0x805ac24 "\0032B58CD976D30498Aÿð\n\002\b\013\002\025\f\002\027\r\002\022\016\002\026\017\002\021\020\002\023\021", cnt=17)
    at /src/src-4/secure/lib/libtelnet/../../../crypto/telnet/libtelnet/sra.c:206
#5  0x805050d in auth_is (data=0x805ac22 "\006", cnt=19)
    at /src/src-4/secure/lib/libtelnet/../../../crypto/telnet/libtelnet/auth.c:479
#6  0x804b697 in suboption ()
    at /src/src-4/secure/libexec/telnetd/../../../crypto/telnet/telnetd/state.c:1427
#7  0x804a7bc in telrcv ()
    at /src/src-4/secure/libexec/telnetd/../../../crypto/telnet/telnetd/state.c:338
#8  0x804e3e6 in ttloop ()
    at /src/src-4/secure/libexec/telnetd/../../../crypto/telnet/telnetd/utility.c:88
#9  0x804fcb3 in telnet_spin ()
    at /src/src-4/secure/libexec/telnetd/../../../crypto/telnet/telnetd/authenc.c:74
#10 0x805076e in auth_wait (name=0x805b000 "")
    at /src/src-4/secure/lib/libtelnet/../../../crypto/telnet/libtelnet/auth.c:572
#11 0x804cd63 in getterminaltype (name=0x805b000 "")
    at /src/src-4/secure/libexec/telnetd/../../../crypto/telnet/telnetd/telnetd.c:473
#12 0x804d2d1 in doit (who=0xbfbffc1c)
    at /src/src-4/secure/libexec/telnetd/../../../crypto/telnet/telnetd/telnetd.c:705
#13 0x804cbfe in main (argc=1, argv=0xbfbffcf4)
    at /src/src-4/secure/libexec/telnetd/../../../crypto/telnet/telnetd/telnetd.c:400
#14 0x8049c1d in _start ()
(gdb) quit

>Fix:

Unknown. Mark Murray might know about this since he MFC'ed the changes.


>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200205051400.g45E0nsl087253>