On Mon, May 25, 2009 at 07:27:03PM +0200, rembrandt wrote:
> "login" is proune to a local DoS when somebody press the arrowkey
> serval times at the "login:" screen (no problem for the password field).
first of all login(1) does not handle login: prompt.
getty(8) does. i suppose you wanna look in the getty then?
what is the nature of the "dos"? can you please give more info
with your changes? otherwise they do not make any sense...
> I found no other special keys triggering this but it nerve dme on oBSD
> pretty much. The question is where I'd patch it best?!
>
> for (;;) {
> (void)printf("login: ");
> for (p = nbuf; (ch = getchar()) != '\n'; ) {
> if (ch == EOF) {
> badlogin(username);
> quickexit(0);
> }
> if (p < nbuf + (NBUFSIZ - 1))
> *p++ = ch;
> }
> if (p > nbuf) {
> if (nbuf[0] == '-')
> (void)fprintf(stderr,
> "login names may not start with '-'.
> \n"); else {
> *p = '\0';
> username = nbuf;
> break;
> }
> }
>
> Should I add another if-call or is limiting the loginname to ascii-only
> chars the better solution?
>
> Kind regards,
> Rembrandt
--
paranoic mickey (my employers have changed but, the name has remained)
