Xenix smart serial board driver bug

Steve Manes manes at marob.MASA.COM
Thu Feb 2 18:56:35 AEST 1989


Here's a bug that I've confirmed on two SCO XENIX sites running smart
serial boards (or, at least, the Comtrol Smart Hostess and the Arnet,
which were the only boards available for me to test).  I've not been
able to duplicate the bug on systems running "dumb" serial
boards but I've been that the program crashes just as well on 2.3 as 2.2.

Basically, if you open another handle on the stdin of a modem port and
then close it, the serial drivers for these boards seem to shut down
stdin altogether and throw you off line immediately.  About half the
time (finger-in-the-wind estimate) it will leave the parent shell
running in a blocked condition that re-opens when the next user logs on
that tty port.  In others words, this is a dangerous security problem. 
I've spoken with Lori Slater at Comtrol and she's on the case. 

If you would, compile this program and run it while logged into a modem
port and mail the results to me.  I'm curious if this bug repeats itself
on all smart serial boards.  Repeat: the bug only appears on modem
ports, not on the console. 

---------- cut here ----------- cut here ------------- cut here ---------

#include <stdio.h>
#include <fcntl.h>

char	*strlwr();

main()
{
	char	mytty[25];
	int	kbfid;

	/* First, we open another handle on our raw tty port.
	 * In SCO, this will be the lowercase device
	 */
	strcpy(mytty, strlwr(ttyname(1)));
	if ((kbfid = open(mytty, O_RDONLY)) == -1) {
		/* if this fails, the lowercase port is probably not
		 * readable by the user (it should be)
		 */
		perror(mytty);
		exit( 1 );
	}
	fprintf(stderr, "\nInput device opened -- fid: %d\n", kbfid);

	/* Open succeeded.
	 * Now all we do is close the port we just opened...
	 */

	fprintf(stderr, "Now closing it...(cringe)\n");
	close(kbfid);

	/* If you've got the bug, you're history. */

	fprintf(stderr, "You're okay!\n");
	exit( 0 );
}

char	*strlwr(s)
char	*s;
{
	int	i;
	
	for (i=0; s[i]; i++)
		s[i] = tolower(s[i]);
	return( s );
}

-- 
Steve Manes            Roxy Recorders, Inc.             Magpie-HQ BBS
UUCP : {rutgers|cmcl2}!hombre!magpie!manes              (212)420-0527
Smail: manes at MASA.COM



More information about the Comp.unix.xenix mailing list