Re: patch to login, dmesg and obscure

On Mon Jul 28, 2003 at 03:55:32PM +0200, Ronny L Nilsson wrote:
> 
> Hi
> I've discovered some bugs in the BusyBox unstable branch and since it doesn't 
> seem to fixed in the 1.0.0-pre1 release I created a patch with my changes. 
> Description below:
> 
> 
> * libbb/obscure.c:password_check()
> There was a buffer overflow bug which cased passwd command to segfault when 
> invoked by any other than the superuser.

I'm not seeing it.  I don't see the crash, and in looking
at your patch, I'm not seeing it fix any buffer overflows...

> * loginutils/login.c:
> The login process should always timeout if user don't login sucessfully 
> within 
> reasonable time. Otherwise we're sensetive to a DOS attack by simply doing a 
> bunch of simultaneous telnet connections (deploys all availible TTY's).
> 
> This patch make login.c terminate the connection after  "TIMEOUT" seconds.

This looks ok.  Applied.

> * util-linux/dmesg.c:
> If BusyBox was compiled with -DCONFIG_FEATURE_CLEAN_UP dmesg command 
> segfaults 
> if invoked with the "-n" option. (Due to a free() of an uninitialized 
> pointer).

Applied with an ifdef, per vodz' suggestion, 

 -Erik

--
Erik B. Andersen             http://codepoet-consulting.com/
--This message was written using 73% post-consumer electrons--