1 files changed, 28 insertions, 9 deletions

diff --git a/Linux-PAM/modules/pam_issue/pam_issue.c b/Linux-PAM/modules/pam_issue/pam_issue.c
index 1f4853de..5665966e 100644
--- a/Linux-PAM/modules/pam_issue/pam_issue.c
+++ b/Linux-PAM/modules/pam_issue/pam_issue.c
@@ -38,7 +38,7 @@
 
 static int _user_prompt_set = 0;
 
-char *do_prompt (FILE *);
+static char *do_prompt (FILE *);
 
 /* --- authentication management functions (only) --- */
 
@@ -84,12 +84,19 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
     if ((fd = fopen(issue_file, "r")) != NULL) {
 	int tot_size = 0;
 
-	if (fstat(fileno(fd), &st) < 0)
+	if (fstat(fileno(fd), &st) < 0) {
+	    fclose(fd);
+	    if (issue_file)
+	        free(issue_file);
 	    return PAM_IGNORE;
+	}
 
 	retval = pam_get_item(pamh, PAM_USER_PROMPT,
 			      (const void **) &cur_prompt);
 	if (retval != PAM_SUCCESS) {
+	    fclose(fd);
+	    if (issue_file)
+	        free(issue_file);
 	    return PAM_IGNORE;
 	}
 	if (cur_prompt == NULL) {
@@ -101,6 +108,9 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
 	if (parse_esc) {
 	    prompt_tmp = do_prompt(fd);
 	    if (prompt_tmp == NULL) {
+	        fclose(fd);
+	        if (issue_file)
+	           free(issue_file);
 		return PAM_IGNORE;
 	    }
 	} else {
@@ -108,13 +118,17 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
 
 	    prompt_tmp = malloc(st.st_size + 1);
 	    if (prompt_tmp == NULL) {
+	        fclose(fd);
+	        if (issue_file)
+	           free(issue_file);
 		return PAM_IGNORE;
 	    }
 	    memset (prompt_tmp, '\0', st.st_size + 1);
-	    count = fread(prompt_tmp, sizeof(char *), st.st_size, fd);
+	    count = fread(prompt_tmp, 1, st.st_size, fd);
 	    if (count != st.st_size) {
-		free(prompt_tmp);
-		return PAM_IGNORE;
+	        fclose(fd);
+		retval = PAM_IGNORE;
+		goto cleanup;
 	    }
 	    prompt_tmp[st.st_size] = '\0';
 	}
@@ -130,7 +144,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
 	{
 	    char *prompt_tmp_tmp = prompt_tmp;
 
-	    prompt_tmp = realloc(prompt_tmp, tot_size);
+	    prompt_tmp = realloc(prompt_tmp, tot_size + 1);
 	    if (prompt_tmp == NULL) {
 		prompt_tmp = prompt_tmp_tmp;
 		retval = PAM_IGNORE;
@@ -151,6 +165,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
 
     } else {
 	D(("could not open issue_file: %s", issue_file));
+	free(issue_file);
 	return PAM_IGNORE;
     }
 
@@ -164,14 +179,18 @@ int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc,
      return PAM_IGNORE;
 }
 
-char *do_prompt(FILE *fd)
+static char *do_prompt(FILE *fd)
 {
     int c, size = 1024;
-    char *issue = (char *)malloc(size);
+    char *issue;
     char buf[1024];
     struct utsname uts;
 
-    if (issue == NULL || fd == NULL)
+    if (fd == NULL)
+	return NULL;
+
+    issue = (char *)malloc(size);
+    if (issue == NULL)
 	return NULL;
 
     issue[0] = '\0'; /* zero this, for strcat to work on first buf */