Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!ames!oliveb!apple!voder!wlbr!sms
From: sms@etn-wlv.eaton.com (Steven M. Schultz)
Newsgroups: comp.bugs.2bsd
Subject: /bin/su long usernames corrupt environment +FIX
Message-ID: <28605@wlbr.EATON.COM>
Date: 30 Mar 89 17:40:54 GMT
Sender: news@wlbr.EATON.COM
Reply-To: sms@etn-wlv.eaton.com (Steven M. Schultz)
Organization: Contel Federal Systems IMSD
Lines: 36
Index:	bin/su.c 2.10BSD

Description:
	If a username is more than about 10 characters (either by
	accident or intentionally) the buffer 'userbuf' will overflow
	causing a corrupt environment.

Repeat-By:
	Either be running on a system with usernames allowed to be
	greater than the standard 8, or inadvertently add a user with
	a loginname of 10 or more characters.  Note that the username
	is not truncated to the maximum number of characters that are
	in the utmp/wtmp structures.

Fix:
	Apply the patch below, it increases the userbuf to a size more
	in keeping with the overallocated sizes of the buffers which
	follow it.

*** su.c.old	Thu Mar 30 09:26:16 1989
--- su.c	Thu Mar 30 09:26:55 1989
***************
*** 22,28 ****
  #include <sys/time.h>
  #include <sys/resource.h>
  
! char	userbuf[16]	= "USER=";
  char	homebuf[128]	= "HOME=";
  char	shellbuf[128]	= "SHELL=";
  char	pathbuf[128]	= "PATH=:/usr/ucb:/bin:/usr/bin";
--- 22,28 ----
  #include <sys/time.h>
  #include <sys/resource.h>
  
! char	userbuf[64]	= "USER=";
  char	homebuf[128]	= "HOME=";
  char	shellbuf[128]	= "SHELL=";
  char	pathbuf[128]	= "PATH=:/usr/ucb:/bin:/usr/bin";