Various buffer overrun fixes and other security enhancements.

Obtained from: PST's fixes to the non-secure telnet{d}

8 files changed, 69 insertions, 22 deletions

diff --git a/eBones/libexec/telnetd/sys_term.c b/eBones/libexec/telnetd/sys_term.c
index 5ebd2ad..f9b1617 100644
--- a/eBones/libexec/telnetd/sys_term.c
+++ b/eBones/libexec/telnetd/sys_term.c
@@ -1667,6 +1667,7 @@ start_login(host, autologin, name)
 	if (auth_level >= 0 && autologin == AUTH_VALID) {
 # if	!defined(NO_LOGIN_F)
 		argv = addarg(argv, "-f");
+		argv = addarg(argv, "--");
 		argv = addarg(argv, name);
 # else
 #  if defined(LOGIN_R)
@@ -1739,17 +1740,14 @@ start_login(host, autologin, name)
 			pty = xpty;
 		}
 #  else
+		argv = addarg(argv, "--");
 		argv = addarg(argv, name);
 #  endif
 # endif
 	} else
 #endif
-	if ((user = getenv("USER"))) {
-	if (strchr(user, '-')) {
-			syslog(LOG_ERR, "tried to pass user \"%s\" to login",
-			       user);
-			fatal(net, "invalid user");
-		}
+ 	if (getenv("USER")) {
+ 		argv = addarg(argv, "--");
 		argv = addarg(argv, getenv("USER"));
 #if	defined(LOGIN_ARGS) && defined(NO_LOGIN_P)
 		{
diff --git a/eBones/libexec/telnetd/telnetd.c b/eBones/libexec/telnetd/telnetd.c
index 5785279..5191653 100644
--- a/eBones/libexec/telnetd/telnetd.c
+++ b/eBones/libexec/telnetd/telnetd.c
@@ -713,12 +713,14 @@ getterminaltype(name)
 	 * we have to just go with what we (might) have already gotten.
 	 */
 	if (his_state_is_will(TELOPT_TTYPE) && !terminaltypeok(terminaltype)) {
-	    (void) strncpy(first, terminaltype, sizeof(first));
+	    (void) strncpy(first, terminaltype, sizeof(first)-1);
+	    first[sizeof(first)-1] = '\0';
 	    for(;;) {
 		/*
 		 * Save the unknown name, and request the next name.
 		 */
-		(void) strncpy(last, terminaltype, sizeof(last));
+		(void) strncpy(last, terminaltype, sizeof(last)-1);
+		last[sizeof(last)-1] = '\0';
 		_gettermname();
 		if (terminaltypeok(terminaltype))
 		    break;
@@ -736,8 +738,10 @@ getterminaltype(name)
 		     * the start of the list.
 		     */
 		     _gettermname();
-		    if (strncmp(first, terminaltype, sizeof(first)) != 0)
-			(void) strncpy(terminaltype, first, sizeof(first));
+		    if (strncmp(first, terminaltype, sizeof(first)) != 0) {
+			(void) strncpy(terminaltype, first, sizeof(terminaltype)-1);
+			terminaltype[sizeof(terminaltype)-1] = '\0';
+		    }
 		    break;
 		}
 	    }
diff --git a/eBones/libexec/telnetd/utility.c b/eBones/libexec/telnetd/utility.c
index c8e34b8..b432fb2 100644
--- a/eBones/libexec/telnetd/utility.c
+++ b/eBones/libexec/telnetd/utility.c
@@ -103,6 +103,7 @@ stilloob(s)
     do {
 	FD_ZERO(&excepts);
 	FD_SET(s, &excepts);
+	memset((char *)&timeout, 0, sizeof timeout);
 	value = select(s+1, (fd_set *)0, (fd_set *)0, &excepts, &timeout);
     } while ((value == -1) && (errno == EINTR));
 
diff --git a/eBones/usr.bin/telnet/Makefile b/eBones/usr.bin/telnet/Makefile
index 876255d..7ec59bc 100644
--- a/eBones/usr.bin/telnet/Makefile
+++ b/eBones/usr.bin/telnet/Makefile
@@ -40,7 +40,7 @@ SRCS=	authenc.c commands.c main.c network.c ring.c sys_bsd.c telnet.c \
 	terminal.c tn3270.c utilities.c
 
 CFLAGS+=-DTERMCAP -DKLUDGELINEMODE -DUSE_TERMIO -DENV_HACK -DENCRYPTION
-CFLAGS+=-I${.CURDIR}/../../lib
+CFLAGS+=-DSKEY -I${.CURDIR}/../../lib
 LDADD+= -L${TELNETOBJDIR} -ltermcap -ltelnet
 DPADD+= ${TELNETOBJDIR}/libtelnet.a ${LIBTERMCAP}
 
diff --git a/eBones/usr.bin/telnet/commands.c b/eBones/usr.bin/telnet/commands.c
index 8e67187..c642877 100644
--- a/eBones/usr.bin/telnet/commands.c
+++ b/eBones/usr.bin/telnet/commands.c
@@ -120,6 +120,37 @@ static char saveline[256];
 static int margc;
 static char *margv[20];
 
+#if	defined(SKEY)
+#include <sys/wait.h>
+#define PATH_SKEY	"/usr/bin/key"
+    int
+skey_calc(argc, argv)
+	int argc;
+	char **argv;
+{
+	int status;
+
+	if(argc != 3) {
+		printf("%s sequence challenge\n", argv[0]);
+		return;
+	}
+
+	switch(fork()) {
+	case 0:
+		execv(PATH_SKEY, argv);
+		exit (1);
+	case -1:
+		perror("fork");
+		break;
+	default:
+		(void) wait(&status);
+		if (WIFEXITED(status))
+			return (WEXITSTATUS(status));
+		return (0);
+	}
+}
+#endif
+
     static void
 makeargv()
 {
@@ -511,7 +542,7 @@ togdebug()
     }
 #else	/* NOT43 */
     if (debug) {
-	if (net > 0 && SetSockOpt(net, SOL_SOCKET, SO_DEBUG, 0, 0) < 0)
+	if (net > 0 && SetSockOpt(net, SOL_SOCKET, SO_DEBUG, 1) < 0)
 	    perror("setsockopt (SO_DEBUG)");
     } else
 	printf("Cannot turn off socket debugging\n");
@@ -2330,10 +2361,15 @@ tn(argc, argv)
     } else {
 #endif
 	temp = inet_addr(hostp);
-	if (temp != (unsigned long) -1) {
-	    sin.sin_addr.s_addr = temp;
-	    sin.sin_family = AF_INET;
-	    (void) strcpy(_hostname, hostp);
+ 	if (temp != INADDR_NONE) {
+  	    sin.sin_addr.s_addr = temp;
+  	    sin.sin_family = AF_INET;
+ 	    host = gethostbyaddr((char *)&temp, sizeof(temp), AF_INET);
+ 	    if (host)
+ 	        (void) strncpy(_hostname, host->h_name, sizeof(_hostname));
+ 	    else
+ 		(void) strncpy(_hostname, hostp, sizeof(_hostname));
+ 	    _hostname[sizeof(_hostname)-1] = '\0';
 	    hostname = _hostname;
 	} else {
 	    host = gethostbyname(hostp);
@@ -2500,6 +2536,9 @@ static char
 #if	defined(unix)
 	zhelp[] =	"suspend telnet",
 #endif	/* defined(unix) */
+#if	defined(SKEY)
+	skeyhelp[] =    "compute response to s/key challenge",
+#endif
 	shellhelp[] =	"invoke a subshell",
 	envhelp[] =	"change environment variables ('environ ?' for more)",
 	modestring[] = "try to enter line or character mode ('mode ?' for more)";
@@ -2536,6 +2575,9 @@ static Command cmdtab[] = {
 #endif
 	{ "environ",	envhelp,	env_cmd,	0 },
 	{ "?",		helphelp,	help,		0 },
+#if	defined(SKEY)
+	{ "skey",       skeyhelp,       skey_calc,      0 },
+#endif		
 	{ 0, 0, 0, 0 }
 };
 
@@ -2721,7 +2763,7 @@ cmdrc(m1, m2)
 
     if (rcname == 0) {
 	rcname = getenv("HOME");
-	if (rcname)
+	if (rcname && (strlen(rcname) + 10) < sizeof(rcbuf))
 	    strcpy(rcbuf, rcname);
 	else
 	    rcbuf[0] = '\0';
diff --git a/eBones/usr.bin/telnet/externs.h b/eBones/usr.bin/telnet/externs.h
index c588bbc..fb96d9a 100644
--- a/eBones/usr.bin/telnet/externs.h
+++ b/eBones/usr.bin/telnet/externs.h
@@ -145,7 +145,8 @@ extern int
 #endif	/* defined(TN3270) */
     termdata,		/* Print out terminal data flow */
 #endif	/* defined(unix) */
-    debug;			/* Debug level */
+    debug,		/* Debug level */
+    clienteof;		/* Client received EOF */
 
 extern cc_t escape;	/* Escape to command mode */
 extern cc_t rlogin;	/* Rlogin mode escape character */
diff --git a/eBones/usr.bin/telnet/sys_bsd.c b/eBones/usr.bin/telnet/sys_bsd.c
index 9a3a723..c906bcf 100644
--- a/eBones/usr.bin/telnet/sys_bsd.c
+++ b/eBones/usr.bin/telnet/sys_bsd.c
@@ -1052,7 +1052,7 @@ process_rings(netin, netout, netex, ttyin, ttyout, poll)
 	    }
 #	    endif /* defined(TN3270) */
 		    /* I don't like this, does it ever happen? */
-	    printf("sleep(5) from telnet, after select\r\n");
+	    printf("sleep(5) from telnet, after select: %s\r\n", strerror(errno));
 	    sleep(5);
 	}
 	return 0;
diff --git a/eBones/usr.bin/telnet/telnet.c b/eBones/usr.bin/telnet/telnet.c
index a0b815b..735499f 100644
--- a/eBones/usr.bin/telnet/telnet.c
+++ b/eBones/usr.bin/telnet/telnet.c
@@ -115,7 +115,8 @@ int
 	donelclchars,	/* the user has set "localchars" */
 	donebinarytoggle,	/* the user has put us in binary */
 	dontlecho,	/* do we suppress local echoing right now? */
-	globalmode;
+	globalmode,
+	clienteof = 0;
 
 char *prompt = 0;
 
@@ -2195,9 +2196,9 @@ Scheduler(block)
     ttyout = ring_full_count(&ttyoring);
 
 #if	defined(TN3270)
-    ttyin = ring_empty_count(&ttyiring) && (shell_active == 0);
+    ttyin = ring_empty_count(&ttyiring) && (clienteof == 0) && (shell_active == 0);
 #else	/* defined(TN3270) */
-    ttyin = ring_empty_count(&ttyiring);
+    ttyin = ring_empty_count(&ttyiring) && (clienteof == 0);
 #endif	/* defined(TN3270) */
 
 #if	defined(TN3270)