Relevant BUGIDs:

Purpose of commit: bugfix

Commit summary:
---------------
2008-02-18  Dmitry V. Levin  <ldv@altlinux.org>

	* libpam/pam_handlers.c (_pam_assemble_line): Fix potential
	buffer overflow.
	* xtests/tst-pam_assemble_line.pamd: New test for
	_pam_assemble_line.
	* xtests/tst-pam_assemble_line.sh: New script for
	tst-pam_assemble_line.
	* xtests/Makefile.am (NOSRCTESTS): Add tst-pam_assemble_line.

diff --git a/ChangeLog b/ChangeLog
index ba1eedbef2db3e43239be2ed4d74e10549feb0da..9017cb1d46444fe399b27229ac3dfc0617140f51 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,13 @@
 2008-02-18  Dmitry V. Levin  <ldv@altlinux.org>
 
+       * libpam/pam_handlers.c (_pam_assemble_line): Fix potential
+       buffer overflow.
+       * xtests/tst-pam_assemble_line.pamd: New test for
+       _pam_assemble_line.
+       * xtests/tst-pam_assemble_line.sh: New script for
+       tst-pam_assemble_line.
+       * xtests/Makefile.am (NOSRCTESTS): Add tst-pam_assemble_line.
+
        * modules/pam_exec/pam_exec.c (call_exec): Fix asprintf return
        code check.
 

diff --git a/libpam/pam_handlers.c b/libpam/pam_handlers.c
index 1150814538935aabc21f1aeacbe69dec98bc17ff..848c4fa5ff38492b083ba935c1966aeb76a51ab5 100644 (file)
--- a/libpam/pam_handlers.c
+++ b/libpam/pam_handlers.c
@@ -511,6 +511,7 @@ int _pam_init_handlers(pam_handle_t *pamh)
 static int _pam_assemble_line(FILE *f, char *buffer, int buf_len)
 {
     char *p = buffer;
+    char *endp = buffer + buf_len;
     char *s, *os;
     int used = 0;
 
@@ -518,12 +519,12 @@ static int _pam_assemble_line(FILE *f, char *buffer, int buf_len)
 
     D(("called."));
     for (;;) {
-       if (used >= buf_len) {
+       if (p >= endp) {
            /* Overflow */
            D(("_pam_assemble_line: overflow"));
            return -1;
        }
-       if (fgets(p, buf_len - used, f) == NULL) {
+       if (fgets(p, endp - p, f) == NULL) {
            if (used) {
                /* Incomplete read */
                return -1;

diff --git a/xtests/Makefile.am b/xtests/Makefile.am
index 62e32643298e7859152ba280c861acfcc1e6d3de..05aa7050c5fdcfb90e85d8452bb60ec359f78510 100644 (file)
--- a/xtests/Makefile.am
+++ b/xtests/Makefile.am
@@ -38,7 +38,7 @@ XTESTS = tst-pam_dispatch1 tst-pam_dispatch2 tst-pam_dispatch3 \
        tst-pam_group1 tst-pam_authfail tst-pam_authsucceed
 
 NOSRCTESTS = tst-pam_substack1 tst-pam_substack2 tst-pam_substack3 \
-       tst-pam_substack4 tst-pam_substack5
+       tst-pam_substack4 tst-pam_substack5 tst-pam_assemble_line
 
 
 noinst_PROGRAMS = $(XTESTS)

diff --git a/xtests/tst-pam_assemble_line.pamd b/xtests/tst-pam_assemble_line.pamd
new file mode 100644 (file)
index 0000000..431b3ba
--- /dev/null
+++ b/xtests/tst-pam_assemble_line.pamd
@@ -0,0 +1,8 @@
+#%PAM-1.0
+# Test that _pam_assemble_line() does not crash with long lines.
+# printf '%511s\\\n%511s\\\n%511s\\\n%511s\\\n'
+                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               \
+                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               \
+                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               \
+                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               \
+auth     required      pam_deny.so

diff --git a/xtests/tst-pam_assemble_line.sh b/xtests/tst-pam_assemble_line.sh
new file mode 100644 (file)
index 0000000..076b51c
--- /dev/null
+++ b/xtests/tst-pam_assemble_line.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+exec ./tst-pam_authfail tst-pam_assemble_line