From: Andrew G. Morgan Date: Mon, 12 Nov 2001 01:21:14 +0000 (+0000) Subject: Relevant BUGIDs: 473034 X-Git-Tag: Linux-PAM-0-76~53 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=99358b2b4e10db0778bcdf0ef829553f2d0b453f;p=linux-pam Relevant BUGIDs: 473034 Purpose of commit: bugfix Commit summary: --------------- pam_env was only coincidentally parsing environment variables correctly. Bug report from weichangyang of hotmail com. --- diff --git a/CHANGELOG b/CHANGELOG index 59ec83cf..3979c040 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -49,6 +49,9 @@ bug report - outstanding bugs are listed here: 0.76: please submit patches for this section with actual code/doc patches! +* pam_env: 'weichangyang of hotmail' pointed out a wild string with no + valid '\0' was leading to problems with sshd and suggested fix (Bug + 473034 - agmorgan) * MANDIR cleanup. It defaults to /usr/share/man, but can be overridden using the --enable-mandir ./configure option, similarly for DOCDIR from Nalin (Bug 476940 - agmorgan) diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c index 52e54490..ba04c15e 100644 --- a/modules/pam_env/pam_env.c +++ b/modules/pam_env/pam_env.c @@ -4,7 +4,7 @@ * $Id$ * * Written by Dave Kinchlea 1997/01/31 - * Inspired by Andrew Morgan , who also supplied the * template for this file (via pam_mail) */ @@ -536,12 +536,14 @@ static int _expand_arg(pam_handle_t *pamh, char **value) * call pam_getenv and _pam_get_item_byname -- sigh */ - char type, tmpval[BUF_SIZE]; /* No unexpanded variable can be bigger than BUF_SIZE */ - char tmp[MAX_ENV]; /* I know this shouldn't be hard-coded but it's so - * much easier this way */ + /* No unexpanded variable can be bigger than BUF_SIZE */ + char type, tmpval[BUF_SIZE]; + + /* I know this shouldn't be hard-coded but it's so much easier this way */ + char tmp[MAX_ENV]; D(("Remember to initialize tmp!")); - tmp[0] = '\0'; + memset(tmp, 0, MAX_ENV); /* * (possibly non-existent) environment variables can be used as values @@ -563,15 +565,17 @@ static int _expand_arg(pam_handle_t *pamh, char **value) } else { /* is it really a good idea to try to log this? */ D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr)); - _log_err(LOG_ERR, "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr); + _log_err(LOG_ERR, "Variable buffer overflow: <%s> + <%s>", + tmp, tmpptr); } continue; } if ('$' == *orig || '@' == *orig) { if ('{' != *(orig+1)) { - D(("Expandable variables must be wrapped in {} <%s> - ignoring", orig)); - _log_err(LOG_ERR, "Expandable variables must be wrapped in {} <%s> - ignoring", - orig); + D(("Expandable variables must be wrapped in {}" + " <%s> - ignoring", orig)); + _log_err(LOG_ERR, "Expandable variables must be wrapped in {}" + " <%s> - ignoring", orig); if ((strlen(tmp) + 1) < MAX_ENV) { tmp[strlen(tmp)] = *orig++; /* Note the increment */ }