From 53d6722ab192193c77d187645a31949d3de65f2b Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Wed, 15 Jun 2011 20:55:30 +0200
Subject: [PATCH] Do not crash when remember, minlen, or rounds options are
 used with wrong module type.

---
 ChangeLog                  |  3 +++
 modules/pam_unix/support.c | 35 ++++++++++++++++++++++++-----------
 2 files changed, 27 insertions(+), 11 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index b3c499a5..fcc56e4d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -11,6 +11,9 @@
 	* modules/pam_pwhistory/pam_pwhistory.8.xml: Document the
 	special meaning of remember=0.
 
+	* modules/pam_unix/support.c (_set_ctrl): Do not crash when remember,
+	minlen, or rounds options are used with wrong module type.
+
 2011-06-14  Thorsten Kukuk  <kukuk@thkukuk.de>
 
 	* configure.in: Check for libtirpc by default.
diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
index 0b8d4d64..cc350e58 100644
--- a/modules/pam_unix/support.c
+++ b/modules/pam_unix/support.c
@@ -83,7 +83,7 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds,
 	}
 	/* now parse the arguments to this module */
 
-	while (argc-- > 0) {
+	for (; argc-- > 0; ++argv) {
 		int j;
 
 		D(("pam_unix arg: %s", *argv));
@@ -99,24 +99,37 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds,
 			pam_syslog(pamh, LOG_ERR,
 			         "unrecognized option [%s]", *argv);
 		} else {
-			ctrl &= unix_args[j].mask;	/* for turning things off */
-			ctrl |= unix_args[j].flag;	/* for turning things on  */
-
 			/* special cases */
-			if (remember != NULL && j == UNIX_REMEMBER_PASSWD) {
+			if (j == UNIX_REMEMBER_PASSWD) {
+				if (remember == NULL) {
+					pam_syslog(pamh, LOG_ERR,
+					    "option remember not allowed for this module type");
+					continue;
+				}
 				*remember = strtol(*argv + 9, NULL, 10);
 				if ((*remember == INT_MIN) || (*remember == INT_MAX))
 					*remember = -1;
 				if (*remember > 400)
 					*remember = 400;
-			} else if (pass_min_len && j == UNIX_MIN_PASS_LEN) {
+			} else if (j == UNIX_MIN_PASS_LEN) {
+				if (pass_min_len == NULL) {
+					pam_syslog(pamh, LOG_ERR,
+					    "option minlen not allowed for this module type");
+					continue;
+				}
 				*pass_min_len = atoi(*argv + 7);
- 			}
-			if (rounds != NULL && j == UNIX_ALGO_ROUNDS)
+			} else if (j == UNIX_ALGO_ROUNDS) {
+				if (rounds == NULL) {
+					pam_syslog(pamh, LOG_ERR,
+					    "option rounds not allowed for this module type");
+					continue;
+				}
 				*rounds = strtol(*argv + 7, NULL, 10);
-		}
+			}
 
-		++argv;		/* step to next argument */
+			ctrl &= unix_args[j].mask;	/* for turning things off */
+			ctrl |= unix_args[j].flag;	/* for turning things on  */
+		}
 	}
 
 	if (UNIX_DES_CRYPT(ctrl)
@@ -132,7 +145,7 @@ int _set_ctrl(pam_handle_t *pamh, int flags, int *remember, int *rounds,
 	}
 
 	/* Set default rounds for blowfish */
-	if (on(UNIX_BLOWFISH_PASS, ctrl) && off(UNIX_ALGO_ROUNDS, ctrl)) {
+	if (on(UNIX_BLOWFISH_PASS, ctrl) && off(UNIX_ALGO_ROUNDS, ctrl) && rounds != NULL) {
 		*rounds = 5;
 		set(UNIX_ALGO_ROUNDS, ctrl);
 	}
-- 
2.40.0