Date: Sun, 15 Aug 1999 14:22:52 -0700 (PDT) From: Kevin Vajk <kvajk@ricochet.net> To: security-audit@ferret.lmh.ox.ac.uk Subject: telnetd patch Below is a patch for telnetd. It generates an extra compiler warning from not using char *s, but it's easy to miss with all the other compiler warnings that scroll by as telnet builds. Sigh... As far as removing this functionality goes, I think it's worth it. Often I telnet from a linux system to a UNIX system, and upon logging in find that term type "linux" is unknown, or I telnet from a UNIX system to linux, and find that term type "dtterm" isn't known, so apparently this functionality isn't being used much (or used well) in the real world, anyhow. Comments? - Kevin Vajk <kvajk@ricochet.net> diff -u -d -r -P netkit-telnet-0.10.orig/telnetd/telnetd.c netkit-telnet-0.10/telnetd/telnetd.c --- netkit-telnet-0.10.orig/telnetd/telnetd.c Sun Dec 29 10:27:12 1996 +++ netkit-telnet-0.10/telnetd/telnetd.c Sun Aug 15 14:06:22 1999 @@ -577,21 +577,23 @@ static int terminaltypeok(char *s) { - char buf[2048]; if (terminaltype == NULL) return(1); /* - * tgetent() will return 1 if the type is known, and - * 0 if it is not known. If it returns -1, it couldn't - * open the database. But if we can't open the database, - * it won't help to say we failed, because we won't be - * able to verify anything else. So, we treat -1 like 1. + * We used to check if the type is known by doing: + * char buf[2048]; + * if (tgetent(buf, s) == 0) + * return(0); + * return(1); + * but Tymm Twillman pointed out that this is a security + * risk. (Opens us up to some nasty denial-of-services.) + * Now we just say the type if fine without even checking. + * If we're wrong, let the users' login scripts fix it. */ - if (tgetent(buf, s) == 0) - return(0); - return(1); + + return(0); } #ifndef MAXHOSTNAMELEN