summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTomas Mraz <tm@t8m.info>2008-11-24 14:06:15 +0000
committerTomas Mraz <tm@t8m.info>2008-11-24 14:06:15 +0000
commitb66f2f941f5dd41710b0e3f3251d5d664602911f (patch)
tree4dc50073f48e340c42f1441fbc15e7ec81f0a57a
parente6364f057ddd81b7eb06487047b20a04f29022af (diff)
Relevant BUGIDs:
Purpose of commit: bugfix Commit summary: --------------- 2008-11-24 Tomas Mraz <t8m@centrum.cz> * modules/pam_cracklib/pam_cracklib.c(pam_sm_chauthtok): Fix leaks in error path. * modules/pam_env/pam_env.c(_parse_env_file): Remove superfluous condition. * modules/pam_group/pam_group.c(check_account): Fix leak in error path. * modules/pam_listfile/pam_listfile.c(pam_sm_authenticate): Fix leak in error path. * modules/pam_securetty/pam_securetty.c(securetty_perform_check): Remove superfluous condition. * modules/pam_stress/pam_stress.c(stress_get_password,pam_sm_authenticate): Remove superfluous conditions. (pam_sm_chauthtok): Fix mistaken && for &. * modules/pam_unix/pam_unix_auth.c(pam_sm_authenticate): Remove superfluous condition. All the problems fixed in this commit were found by Steve Grubb.
-rw-r--r--ChangeLog28
-rw-r--r--modules/pam_cracklib/pam_cracklib.c2
-rw-r--r--modules/pam_env/pam_env.c2
-rw-r--r--modules/pam_group/pam_group.c2
-rw-r--r--modules/pam_listfile/pam_listfile.c1
-rw-r--r--modules/pam_securetty/pam_securetty.c2
-rw-r--r--modules/pam_stress/pam_stress.c7
-rw-r--r--modules/pam_unix/pam_unix_auth.c2
8 files changed, 38 insertions, 8 deletions
diff --git a/ChangeLog b/ChangeLog
index f8757df7..f86b86d5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,31 @@
+2008-11-24 Tomas Mraz <t8m@centrum.cz>
+
+ * libpam/pam_handlers.c (_pam_parse_conf_file): '-' at
+ beginning of type token marks silent module.
+ (_pam_load_module): Add handler_type parameter. Do not log
+ module load error if module is silent.
+ (_pam_add_handler): Pass handler_type to _pam_load_module().
+ * libpam/pam_private.h: Add PAM_HT_SILENT_MODULE.
+ * doc/man/pam.conf-syntax.xml: Document the '-' at beginning
+ of type.
+
+ * modules/pam_cracklib/pam_cracklib.c(pam_sm_chauthtok): Fix leaks
+ in error path.
+ * modules/pam_env/pam_env.c(_parse_env_file): Remove superfluous
+ condition.
+ * modules/pam_group/pam_group.c(check_account): Fix leak
+ in error path.
+ * modules/pam_listfile/pam_listfile.c(pam_sm_authenticate): Fix leak
+ in error path.
+ * modules/pam_securetty/pam_securetty.c(securetty_perform_check): Remove
+ superfluous condition.
+ * modules/pam_stress/pam_stress.c(stress_get_password,pam_sm_authenticate):
+ Remove superfluous conditions.
+ (pam_sm_chauthtok): Fix mistaken && for &.
+ * modules/pam_unix/pam_unix_auth.c(pam_sm_authenticate): Remove
+ superfluous condition.
+ All the problems fixed in this commit were found by Steve Grubb.
+
2008-11-20 Tomas Mraz <t8m@centrum.cz>
* modules/pam_sepermit/pam_sepermit.c (sepermit_match): Do not
diff --git a/modules/pam_cracklib/pam_cracklib.c b/modules/pam_cracklib/pam_cracklib.c
index 2c4cd4a0..b94f8596 100644
--- a/modules/pam_cracklib/pam_cracklib.c
+++ b/modules/pam_cracklib/pam_cracklib.c
@@ -692,6 +692,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
}
if (retval != PAM_SUCCESS) {
+ token1 = _pam_delete(token1);
if (ctrl & PAM_DEBUG_ARG)
pam_syslog(pamh,LOG_DEBUG,"unable to obtain a password");
continue;
@@ -756,6 +757,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
if (retval != PAM_SUCCESS) {
if (ctrl & PAM_DEBUG_ARG)
pam_syslog(pamh,LOG_DEBUG,"unable to obtain retyped password");
+ token1 = _pam_delete(token1);
continue;
}
diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c
index 80a20cd6..a8cd2c8f 100644
--- a/modules/pam_env/pam_env.c
+++ b/modules/pam_env/pam_env.c
@@ -211,7 +211,7 @@ _parse_env_file(pam_handle_t *pamh, int ctrl, const char *env_file)
key += strspn(key, " \n\t");
/* skip blanks lines and comments */
- if (!key || key[0] == '#')
+ if (key[0] == '#')
continue;
/* skip over "export " if present so we can be compat with
diff --git a/modules/pam_group/pam_group.c b/modules/pam_group/pam_group.c
index 4a54da14..bddcf1cb 100644
--- a/modules/pam_group/pam_group.c
+++ b/modules/pam_group/pam_group.c
@@ -603,7 +603,7 @@ static int check_account(pam_handle_t *pamh, const char *service,
if (getgroups(no_grps, grps) < 0) {
D(("getgroups call failed"));
no_grps = 0;
- grps = NULL;
+ _pam_drop(grps);
}
#ifdef DEBUG
{
diff --git a/modules/pam_listfile/pam_listfile.c b/modules/pam_listfile/pam_listfile.c
index f276e5b8..dbd92058 100644
--- a/modules/pam_listfile/pam_listfile.c
+++ b/modules/pam_listfile/pam_listfile.c
@@ -239,6 +239,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
retval = pam_get_item(pamh,citem,&void_citemp);
citemp = void_citemp;
if(retval != PAM_SUCCESS) {
+ free(ifname);
return onerr;
}
if((citem == PAM_USER) && !citemp) {
diff --git a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c
index 9dbe9bc4..ec796d9e 100644
--- a/modules/pam_securetty/pam_securetty.c
+++ b/modules/pam_securetty/pam_securetty.c
@@ -152,7 +152,7 @@ securetty_perform_check (pam_handle_t *pamh, int ctrl,
retval = PAM_AUTH_ERR;
} else {
- if ((retval == PAM_SUCCESS) && (ctrl & PAM_DEBUG_ARG)) {
+ if (ctrl & PAM_DEBUG_ARG) {
pam_syslog(pamh, LOG_DEBUG, "access allowed for '%s' on '%s'",
username, uttyname);
}
diff --git a/modules/pam_stress/pam_stress.c b/modules/pam_stress/pam_stress.c
index c254868f..01587fea 100644
--- a/modules/pam_stress/pam_stress.c
+++ b/modules/pam_stress/pam_stress.c
@@ -197,8 +197,7 @@ static int stress_get_password(pam_handle_t *pamh, int flags
}
return PAM_CONV_ERR;
}
- if (resp)
- free(resp);
+ free(resp);
}
*password = pass; /* this *MUST* be free()'d by this module */
@@ -238,7 +237,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
retval = PAM_USER_UNKNOWN; /* username was null */
return retval;
}
- else if ((ctrl & PAM_ST_DEBUG) && (retval == PAM_SUCCESS)) {
+ else if (ctrl & PAM_ST_DEBUG) {
pam_syslog(pamh, LOG_DEBUG,
"pam_sm_authenticate: username = %s", username);
}
@@ -426,7 +425,7 @@ int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
if (ctrl & PAM_ST_FAIL_1)
return PAM_AUTHTOK_LOCK_BUSY;
- if ( !(ctrl && PAM_ST_EXPIRED)
+ if ( !(ctrl & PAM_ST_EXPIRED)
&& (flags & PAM_CHANGE_EXPIRED_AUTHTOK)
&& (pam_get_data(pamh,"stress_new_pwd", &text)
!= PAM_SUCCESS || strcmp(text,"yes"))) {
diff --git a/modules/pam_unix/pam_unix_auth.c b/modules/pam_unix/pam_unix_auth.c
index dfedd608..05b5ec6c 100644
--- a/modules/pam_unix/pam_unix_auth.c
+++ b/modules/pam_unix/pam_unix_auth.c
@@ -132,7 +132,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags
retval = PAM_USER_UNKNOWN;
AUTH_RETURN;
}
- if (retval == PAM_SUCCESS && on(UNIX_DEBUG, ctrl))
+ if (on(UNIX_DEBUG, ctrl))
D(("username [%s] obtained", name));
} else {
D(("trouble reading username"));