>From 4ebd6db10c712eb56d4e61f1a8d4a41d0465ed89 Mon Sep 17 00:00:00 2001
From: Miroslav Lichvar <address@hidden>
Date: Thu, 13 Jan 2011 17:36:06 +0100
Subject: [PATCH 5/6] Add more tty checks.

---
 src/extern.h |    1 +
 src/screen.c |    9 +++++++--
 src/tty.sh   |   14 ++++++++++++++
 src/utmp.c   |    6 +++---
 4 files changed, 25 insertions(+), 5 deletions(-)

diff --git a/src/extern.h b/src/extern.h
index 2b9722e..c787d99 100644
--- a/src/extern.h
+++ b/src/extern.h
@@ -110,6 +110,7 @@ extern void  brktty __P((int));
 extern struct baud_values *lookup_baud __P((int bps));
 extern int   SetBaud __P((struct mode *, int, int));
 extern int   SttyMode __P((struct mode *, char *));
+extern int   CheckTtyname __P((char *));
 
 
 /* mark.c */
diff --git a/src/screen.c b/src/screen.c
index 3dde3b4..cc8f565 100644
--- a/src/screen.c
+++ b/src/screen.c
@@ -970,8 +970,13 @@ char **av;
 	else \
 	  attach_tty = ""; \
       } \
-    else if (stat(attach_tty, &st)) \
-      Panic(errno, "Cannot access '%s'", attach_tty); \
+    else \
+      { \
+	if (stat(attach_tty, &st)) \
+	  Panic(errno, "Cannot access '%s'", attach_tty); \
+	if (CheckTtyname(attach_tty)) \
+	  Panic(0, "Bad tty '%s'", attach_tty); \
+      } \
     if (strlen(attach_tty) >= MAXPATHLEN) \
       Panic(0, "TtyName too long - sorry."); \
   } while (0)
diff --git a/src/tty.sh b/src/tty.sh
index f2afd54..e264796 100644
--- a/src/tty.sh
+++ b/src/tty.sh
@@ -60,6 +60,7 @@ exit 0
 #include <sys/types.h>
 #include <signal.h>
 #include <fcntl.h>
+#include <sys/stat.h>
 #ifndef sgi
 # include <sys/file.h>
 #endif
@@ -1506,6 +1507,19 @@ int ibaud, obaud;
   return 0;
 }
 
+
+int
+CheckTtyname (tty)
+char *tty;
+{
+  struct stat st;
+
+  if (lstat(tty, &st) || !S_ISCHR(st.st_mode) ||
+     (st.st_nlink > 1 && strncmp(tty, "/dev/", 5)))
+    return -1;
+  return 0;
+}
+
 /*
  *  Write out the mode struct in a readable form
  */
diff --git a/src/utmp.c b/src/utmp.c
index afa0948..aae1948 100644
--- a/src/utmp.c
+++ b/src/utmp.c
@@ -361,7 +361,7 @@ RemoveLoginSlot()
       char *tty;
       debug("couln't zap slot -> do mesg n\n");
       D_loginttymode = 0;
-      if ((tty = ttyname(D_userfd)) && stat(tty, &stb) == 0 && (int)stb.st_uid == real_uid && ((int)stb.st_mode & 0777) != 0666)
+      if ((tty = ttyname(D_userfd)) && stat(tty, &stb) == 0 && (int)stb.st_uid == real_uid && !CheckTtyname(tty) && ((int)stb.st_mode & 0777) != 0666)
 	{
 	  D_loginttymode = (int)stb.st_mode & 0777;
 	  chmod(D_usertty, stb.st_mode & 0600);
@@ -387,7 +387,7 @@ RestoreLoginSlot()
     }
   UT_CLOSE;
   D_loginslot = (slot_t)0;
-  if (D_loginttymode && (tty = ttyname(D_userfd)))
+  if (D_loginttymode && (tty = ttyname(D_userfd)) && !CheckTtyname(tty))
     chmod(tty, D_loginttymode);
 }
 
@@ -853,7 +853,7 @@ getlogin()
 
   for (fd = 0; fd <= 2 && (tty = ttyname(fd)) == NULL; fd++)
     ;
-  if ((tty == NULL) || ((fd = open(UTMP_FILE, O_RDONLY)) < 0))
+  if ((tty == NULL) || CheckTtyname(tty) || ((fd = open(UTMP_FILE, O_RDONLY)) < 0))
     return NULL;
   tty = stripdev(tty);
   retbuf[0] = '\0';
-- 
1.7.3.4