Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
e94b259c46
NetBSD/libexec/talkd/process.c
itojun 89b1e287f7 find_user() in process.c does an unbounded copy into a destination 
buffer that is smaller in size than the source buffer.

also, there is no guarantee that any of the string components of
the request packet are null terminated.

in some cases, not all elements of the response buffer are
explicitly set. specifically pad and addr. a talk client can spy to
see which host is talking to which host by sending out regular
packets, to which talkd responds without clearing the addr element.

from xs@kittenz.org
2002-09-19 14:39:51 +00:00

236 lines
6.1 KiB
C
Raw Blame History

/* $NetBSD: process.c,v 1.8 2002/09/19 14:39:51 itojun Exp $ */
/*
* Copyright (c) 1983, 1993
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include <sys/cdefs.h>
#ifndef lint
#if 0
static char sccsid[] = "@(#)process.c 8.2 (Berkeley) 11/16/93";
#else
__RCSID("$NetBSD: process.c,v 1.8 2002/09/19 14:39:51 itojun Exp $");
#endif
#endif /* not lint */
/*
* process.c handles the requests, which can be of three types:
* ANNOUNCE - announce to a user that a talk is wanted
* LEAVE_INVITE - insert the request into the table
* LOOK_UP - look up to see if a request is waiting in
* in the table for the local user
* DELETE - delete invitation
*/
#include <sys/param.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <protocols/talkd.h>
#include <netdb.h>
#include <syslog.h>
#include <stdio.h>
#include <string.h>
#include <paths.h>
#include "extern.h"
#include "utmpentry.h"
void
process_request(mp, rp)
CTL_MSG *mp;
CTL_RESPONSE *rp;
{
CTL_MSG *ptr;
rp->vers = TALK_VERSION;
rp->type = mp->type;
rp->id_num = htonl(0);
mp->id_num = ntohl(mp->id_num);
mp->addr.sa_family = ntohs(mp->addr.sa_family);
mp->ctl_addr.sa_family = ntohs(mp->ctl_addr.sa_family);
mp->pid = ntohl(mp->pid);
if (mp->vers != TALK_VERSION) {
syslog(LOG_WARNING, "Bad protocol version %d", mp->vers);
rp->answer = BADVERSION;
return;
}
if (mp->addr.sa_family != AF_INET) {
syslog(LOG_WARNING, "Bad address, family %d",
mp->addr.sa_family);
rp->answer = BADADDR;
return;
}
if (mp->ctl_addr.sa_family != AF_INET) {
syslog(LOG_WARNING, "Bad control address, family %d",
mp->ctl_addr.sa_family);
rp->answer = BADCTLADDR;
return;
}
if (debug || logging)
print_request("request", mp);
switch (mp->type) {
case ANNOUNCE:
do_announce(mp, rp);
break;
case LEAVE_INVITE:
ptr = find_request(mp);
if (ptr != (CTL_MSG *)0) {
rp->id_num = htonl(ptr->id_num);
rp->answer = SUCCESS;
} else
insert_table(mp, rp);
break;
case LOOK_UP:
ptr = find_match(mp);
if (ptr != (CTL_MSG *)0) {
rp->id_num = htonl(ptr->id_num);
rp->addr = ptr->addr;
rp->addr.sa_family = htons(ptr->addr.sa_family);
rp->answer = SUCCESS;
} else
rp->answer = NOT_HERE;
break;
case DELETE:
rp->answer = delete_invite(mp->id_num);
break;
default:
rp->answer = UNKNOWN_REQUEST;
break;
}
if (debug)
print_response("process_request done", rp);
}
void
do_announce(mp, rp)
CTL_MSG *mp;
CTL_RESPONSE *rp;
{
struct hostent *hp;
CTL_MSG *ptr;
int result;
/* see if the user is logged */
result = find_user(mp->r_name, mp->r_tty, sizeof(mp->r_tty));
if (result != SUCCESS) {
rp->answer = result;
return;
}
#define satosin(sa) ((struct sockaddr_in *)(sa))
hp = gethostbyaddr((char *)&satosin(&mp->ctl_addr)->sin_addr,
sizeof (struct in_addr), AF_INET);
if (hp == (struct hostent *)0) {
rp->answer = MACHINE_UNKNOWN;
return;
}
ptr = find_request(mp);
if (ptr == (CTL_MSG *) 0) {
insert_table(mp, rp);
rp->answer = announce(mp, hp->h_name);
return;
}
if (mp->id_num > ptr->id_num) {
/*
* This is an explicit re-announce, so update the id_num
* field to avoid duplicates and re-announce the talk.
*/
ptr->id_num = new_id();
rp->id_num = htonl(ptr->id_num);
rp->answer = announce(mp, hp->h_name);
} else {
/* a duplicated request, so ignore it */
rp->id_num = htonl(ptr->id_num);
rp->answer = SUCCESS;
}
}
/*
* Search utmp for the local user
*/
int
find_user(name, tty, ttysize)
char *name, *tty;
size_t ttysize;
{
int status;
struct stat statb;
struct utmpentry *ep;
char ftty[sizeof(_PATH_DEV) + sizeof(ep->line)];
time_t atime = 0;
int anytty = 0;
(void)getutentries(NULL, &ep);
status = NOT_HERE;
(void) strlcpy(ftty, _PATH_DEV, sizeof(ftty));
if (*tty == '\0')
anytty = 1;
for (; ep; ep = ep->next) {
if (strcmp(ep->name, name) != 0)
continue;
if (anytty) {
/* no particular tty was requested */
/* XXX strcpy is safe */
(void)strcpy(ftty + sizeof(_PATH_DEV) - 1, ep->line);
if (stat(ftty, &statb) != 0)
continue;
if (!(statb.st_mode & S_IWGRP)) {
if (status != SUCCESS)
status = PERMISSION_DENIED;
continue;
}
if (statb.st_atime > atime &&
strlcpy(tty, ep->line, ttysize) < ttysize) {
atime = statb.st_atime;
status = SUCCESS;
}
} else if (strcmp(ep->line, tty) == 0) {
status = SUCCESS;
break;
}
}
return (status);
}
Reference in New Issue View Git Blame Copy Permalink