From: Dmitry V. Levin Date: Mon, 18 Feb 2008 13:37:46 +0000 (+0000) Subject: Relevant BUGIDs: X-Git-Tag: Linux-PAM-1_0_0~17 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=c7daf2606c535ebb2cd14b6e9aaba3c5894222e2;p=linux-pam Relevant BUGIDs: Purpose of commit: bugfix Commit summary: --------------- 2008-02-18 Dmitry V. Levin * libpam/pam_handlers.c (_pam_assemble_line): Fix potential buffer overflow. * xtests/tst-pam_assemble_line.pamd: New test for _pam_assemble_line. * xtests/tst-pam_assemble_line.sh: New script for tst-pam_assemble_line. * xtests/Makefile.am (NOSRCTESTS): Add tst-pam_assemble_line. --- diff --git a/ChangeLog b/ChangeLog index ba1eedbe..9017cb1d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,13 @@ 2008-02-18 Dmitry V. Levin + * libpam/pam_handlers.c (_pam_assemble_line): Fix potential + buffer overflow. + * xtests/tst-pam_assemble_line.pamd: New test for + _pam_assemble_line. + * xtests/tst-pam_assemble_line.sh: New script for + tst-pam_assemble_line. + * xtests/Makefile.am (NOSRCTESTS): Add tst-pam_assemble_line. + * modules/pam_exec/pam_exec.c (call_exec): Fix asprintf return code check. diff --git a/libpam/pam_handlers.c b/libpam/pam_handlers.c index 11508145..848c4fa5 100644 --- a/libpam/pam_handlers.c +++ b/libpam/pam_handlers.c @@ -511,6 +511,7 @@ int _pam_init_handlers(pam_handle_t *pamh) static int _pam_assemble_line(FILE *f, char *buffer, int buf_len) { char *p = buffer; + char *endp = buffer + buf_len; char *s, *os; int used = 0; @@ -518,12 +519,12 @@ static int _pam_assemble_line(FILE *f, char *buffer, int buf_len) D(("called.")); for (;;) { - if (used >= buf_len) { + if (p >= endp) { /* Overflow */ D(("_pam_assemble_line: overflow")); return -1; } - if (fgets(p, buf_len - used, f) == NULL) { + if (fgets(p, endp - p, f) == NULL) { if (used) { /* Incomplete read */ return -1; diff --git a/xtests/Makefile.am b/xtests/Makefile.am index 62e32643..05aa7050 100644 --- a/xtests/Makefile.am +++ b/xtests/Makefile.am @@ -38,7 +38,7 @@ XTESTS = tst-pam_dispatch1 tst-pam_dispatch2 tst-pam_dispatch3 \ tst-pam_group1 tst-pam_authfail tst-pam_authsucceed NOSRCTESTS = tst-pam_substack1 tst-pam_substack2 tst-pam_substack3 \ - tst-pam_substack4 tst-pam_substack5 + tst-pam_substack4 tst-pam_substack5 tst-pam_assemble_line noinst_PROGRAMS = $(XTESTS) diff --git a/xtests/tst-pam_assemble_line.pamd b/xtests/tst-pam_assemble_line.pamd new file mode 100644 index 00000000..431b3ba1 --- /dev/null +++ b/xtests/tst-pam_assemble_line.pamd @@ -0,0 +1,8 @@ +#%PAM-1.0 +# Test that _pam_assemble_line() does not crash with long lines. +# printf '%511s\\\n%511s\\\n%511s\\\n%511s\\\n' + \ + \ + \ + \ +auth required pam_deny.so diff --git a/xtests/tst-pam_assemble_line.sh b/xtests/tst-pam_assemble_line.sh new file mode 100644 index 00000000..076b51c0 --- /dev/null +++ b/xtests/tst-pam_assemble_line.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +exec ./tst-pam_authfail tst-pam_assemble_line