From: Thorsten Kukuk <kukuk@thkukuk.de>
Date: Wed, 18 Feb 2009 21:25:46 +0000 (+0000)
Subject: Relevant BUGIDs:
X-Git-Tag: Linux-PAM-1_0_91~10
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=2afda8880a7bdec2cae03ba4d210916fe7289804;p=linux-pam

Relevant BUGIDs:

Purpose of commit: sanity check

Commit summary:
---------------

2009-02-18  Thorsten Kukuk  <kukuk@thkukuk.de>

        * libpam/pam_password.c (pam_chauthtok): Make sure applications
        don't set internal flags.
---

diff --git a/ChangeLog b/ChangeLog
index 402e54fe..cc8a1ac0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2009-02-18  Thorsten Kukuk  <kukuk@thkukuk.de>
+
+	* libpam/pam_password.c (pam_chauthtok): Make sure applications
+	don't set internal flags.
+
 2009-02-17  Thorsten Kukuk  <kukuk@thkukuk.de>
 
 	* doc/man/pam_sm_chauthtok.3.xml: Document that sufficient
diff --git a/libpam/pam_password.c b/libpam/pam_password.c
index 7100979f..70917c58 100644
--- a/libpam/pam_password.c
+++ b/libpam/pam_password.c
@@ -24,6 +24,13 @@ int pam_chauthtok(pam_handle_t *pamh, int flags)
 	return PAM_SYSTEM_ERR;
     }
 
+    /* applications are not allowed to set this flags */
+    if (flags & (PAM_PRELIM_CHECK | PAM_UPDATE_AUTHTOK)) {
+      pam_syslog (pamh, LOG_ERR,
+		  "PAM_PRELIM_CHECK or PAM_UPDATE_AUTHTOK set by application");
+      return PAM_SYSTEM_ERR;
+    }
+
     if (pamh->former.choice == PAM_NOT_STACKED) {
 	_pam_start_timer(pamh);    /* we try to make the time for a failure
 				      independent of the time it takes to
@@ -58,4 +65,3 @@ int pam_chauthtok(pam_handle_t *pamh, int flags)
 
     return retval;
 }
-