Xref: utzoo comp.unix.xenix:4745 comp.dcom.modems:3306
Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!uflorida!haven!adm!cmcl2!phri!marob!manes
From: manes@marob.MASA.COM (Steve Manes)
Newsgroups: comp.unix.xenix,comp.dcom.modems
Subject: Bug: SCO vs. Smart Serial Boards
Message-ID: <493@marob.MASA.COM>
Date: 1 Feb 89 21:46:44 GMT
Followup-To: poster
Organization: ESCC  New York City
Lines: 70


Here's a bug that I've confirmed on two SCO 2.2 sites running smart
serial boards (or, at least, the Comtrol Smart Hostess and the Arnet,
which were the only boards available for me to test).  I've not been
able to duplicate the bug on SCO 2.3 or on 2.2 systems running "dumb"
serial boards. 

Basically, if you open another handle on the stdin of a modem port and
then close it, the serial drivers for these boards seem to shut down
stdin altogether and throw you off line immediately.  About half the
time (finger-in-the-wind estimate) it will leave the parent shell
running in a blocked condition that re-opens when the next user logs on
that tty port.  In others words, this is a dangerous security problem. 
I've spoken with Lori Slater at Comtrol and she's on the case. 

If you would, compile this program and run it while logged into a modem
port and mail the results to me.  I'm curious if this bug repeats itself
on all smart serial boards.  Repeat: the bug only appears on modem
ports, not on the console. 

---------- cut here ----------- cut here ------------- cut here ---------

#include <stdio.h>
#include <fcntl.h>

char	*strlwr();

main()
{
	char	mytty[25];
	int	kbfid;

	/* First, we open another handle on our raw tty port.
	 * In SCO, this will be the lowercase device
	 */
	strcpy(mytty, strlwr(ttyname(1)));
	if ((kbfid = open(mytty, O_RDONLY)) == -1) {
		/* if this fails, the lowercase port is probably not
		 * readable by the user (it should be)
		 */
		perror(mytty);
		exit(1);
	}
	fprintf(stderr, "\nInput device opened -- fid: %d\n", kbfid);

	/* Open succeeded.
	 * Now all we do is close the port we just opened...
	 */

	fprintf(stderr, "Now closing it...(cringe)\n");
	close(kbfid);

	/* If you've got the bug, you're history. */

	fprintf(stderr, "You're okay!\n");
}

char	*strlwr(s)
char	*s;
{
	int	i;
	
	for (i=0; s[i]; i++)
		s[i] = tolower(s[i]);
}

-- 
Steve Manes            Roxy Recorders, Inc.             Magpie-HQ BBS
UUCP : {rutgers|cmcl2}!hombre!magpie!manes              (212)420-0527
Smail: manes@MASA.COM