summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog8
-rw-r--r--libpam/pam_handlers.c5
-rw-r--r--xtests/Makefile.am2
-rw-r--r--xtests/tst-pam_assemble_line.pamd8
-rw-r--r--xtests/tst-pam_assemble_line.sh3
5 files changed, 23 insertions, 3 deletions
diff --git a/ChangeLog b/ChangeLog
index ba1eedbe..9017cb1d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,13 @@
2008-02-18 Dmitry V. Levin <ldv@altlinux.org>
+ * libpam/pam_handlers.c (_pam_assemble_line): Fix potential
+ buffer overflow.
+ * xtests/tst-pam_assemble_line.pamd: New test for
+ _pam_assemble_line.
+ * xtests/tst-pam_assemble_line.sh: New script for
+ tst-pam_assemble_line.
+ * xtests/Makefile.am (NOSRCTESTS): Add tst-pam_assemble_line.
+
* modules/pam_exec/pam_exec.c (call_exec): Fix asprintf return
code check.
diff --git a/libpam/pam_handlers.c b/libpam/pam_handlers.c
index 11508145..848c4fa5 100644
--- a/libpam/pam_handlers.c
+++ b/libpam/pam_handlers.c
@@ -511,6 +511,7 @@ int _pam_init_handlers(pam_handle_t *pamh)
static int _pam_assemble_line(FILE *f, char *buffer, int buf_len)
{
char *p = buffer;
+ char *endp = buffer + buf_len;
char *s, *os;
int used = 0;
@@ -518,12 +519,12 @@ static int _pam_assemble_line(FILE *f, char *buffer, int buf_len)
D(("called."));
for (;;) {
- if (used >= buf_len) {
+ if (p >= endp) {
/* Overflow */
D(("_pam_assemble_line: overflow"));
return -1;
}
- if (fgets(p, buf_len - used, f) == NULL) {
+ if (fgets(p, endp - p, f) == NULL) {
if (used) {
/* Incomplete read */
return -1;
diff --git a/xtests/Makefile.am b/xtests/Makefile.am
index 62e32643..05aa7050 100644
--- a/xtests/Makefile.am
+++ b/xtests/Makefile.am
@@ -38,7 +38,7 @@ XTESTS = tst-pam_dispatch1 tst-pam_dispatch2 tst-pam_dispatch3 \
tst-pam_group1 tst-pam_authfail tst-pam_authsucceed
NOSRCTESTS = tst-pam_substack1 tst-pam_substack2 tst-pam_substack3 \
- tst-pam_substack4 tst-pam_substack5
+ tst-pam_substack4 tst-pam_substack5 tst-pam_assemble_line
noinst_PROGRAMS = $(XTESTS)
diff --git a/xtests/tst-pam_assemble_line.pamd b/xtests/tst-pam_assemble_line.pamd
new file mode 100644
index 00000000..431b3ba1
--- /dev/null
+++ b/xtests/tst-pam_assemble_line.pamd
@@ -0,0 +1,8 @@
+#%PAM-1.0
+# Test that _pam_assemble_line() does not crash with long lines.
+# printf '%511s\\\n%511s\\\n%511s\\\n%511s\\\n'
+ \
+ \
+ \
+ \
+auth required pam_deny.so
diff --git a/xtests/tst-pam_assemble_line.sh b/xtests/tst-pam_assemble_line.sh
new file mode 100644
index 00000000..076b51c0
--- /dev/null
+++ b/xtests/tst-pam_assemble_line.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+exec ./tst-pam_authfail tst-pam_assemble_line