"login" is proune to a local DoS when somebody press the arrowkey
serval times at the "login:" screen (no problem for the password field).
I found no other special keys triggering this but it nerve dme on oBSD
pretty much. The question is where I'd patch it best?!
for (;;) {
(void)printf("login: ");
for (p = nbuf; (ch = getchar()) != '\n'; ) {
if (ch == EOF) {
badlogin(username);
quickexit(0);
}
if (p < nbuf + (NBUFSIZ - 1))
*p++ = ch;
}
if (p > nbuf) {
if (nbuf[0] == '-')
(void)fprintf(stderr,
"login names may not start with '-'.
\n"); else {
*p = '\0';
username = nbuf;
break;
}
}
Should I add another if-call or is limiting the loginname to ascii-only
chars the better solution?
Kind regards,
Rembrandt
