fix security problem; overflow the buffer and change the pc ret

[unix-history] / usr / src / libexec / fingerd / fingerd.c

/*
* Copyright (c) 1983 The Regents of the University of California.
* All rights reserved.
*
* Redistribution and use in source and binary forms are permitted
* provided that the above copyright notice and this paragraph are
* duplicated in all such forms and that any documentation,
* advertising materials, and other materials related to such
* distribution and use acknowledge that the software was developed
* by the University of California, Berkeley.  The name of the
* University may not be used to endorse or promote products derived
* from this software without specific prior written permission.
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*/

#ifndef lint
char copyright[] =
"@(#) Copyright (c) 1983 The Regents of the University of California.\n\
All rights reserved.\n";
#endif /* not lint */

#ifndef lint
static char sccsid[] = "@(#)fingerd.c   5.3 (Berkeley) %G%";
#endif /* not lint */

/*
* Finger server.
*/
#include <sys/types.h>
#include <netinet/in.h>
#include <stdio.h>
#include <ctype.h>

main(argc, argv)
       int argc;
       char *argv[];
{
       register char *sp;
       char line[512];
       struct sockaddr_in sin;
       int i, p[2], pid, status;
       FILE *fp;
       char *av[4];

       i = sizeof (sin);
       if (getpeername(0, &sin, &i) < 0)
               fatal(argv[0], "getpeername");
       if (fgets(line, sizeof(line), stdin) == NULL)
               exit(1);
       sp = line;
       av[0] = "finger";
       for (i = 1;;) {
               while (isspace(*sp))
                       sp++;
               if (!*sp)
                       break;
               if (*sp == '/' && (sp[1] == 'W' || sp[1] == 'w')) {
                       sp += 2;
                       av[i++] = "-l";
               }
               if (*sp && !isspace(*sp)) {
                       av[i++] = sp;
                       while (*sp && !isspace(*sp))
                               sp++;
                       *sp = '\0';
               }
       }
       av[i] = 0;
       if (pipe(p) < 0)
               fatal(argv[0], "pipe");
       if ((pid = fork()) == 0) {
               close(p[0]);
               if (p[1] != 1) {
                       dup2(p[1], 1);
                       close(p[1]);
               }
               execv("/usr/ucb/finger", av);
               _exit(1);
       }
       if (pid == -1)
               fatal(argv[0], "fork");
       close(p[1]);
       if ((fp = fdopen(p[0], "r")) == NULL)
               fatal(argv[0], "fdopen");
       while ((i = getc(fp)) != EOF) {
               if (i == '\n')
                       putchar('\r');
               putchar(i);
       }
       fclose(fp);
       while ((i = wait(&status)) != pid && i != -1)
               ;
       return(0);
}

fatal(prog, s)
       char *prog, *s;
{
       fprintf(stderr, "%s: ", prog);
       perror(s);
       exit(1);
}