1 files changed, 92 insertions, 0 deletions

diff --git a/debian/patches-applied/limits_wrong_strncpy b/debian/patches-applied/limits_wrong_strncpy
new file mode 100644
index 00000000..155eab51
--- /dev/null
+++ b/debian/patches-applied/limits_wrong_strncpy
@@ -0,0 +1,92 @@
+Patch for Debian bug #331278
+
+Remove a number of unnecessary string manipulations, including a
+strncpy() that was acting on overlapping memory.
+
+Authors: Steve Langasek <vorlon@debian.org>
+
+Upstream status: committed to CVS
+
+Index: pam/Linux-PAM/modules/pam_limits/pam_limits.c
+===================================================================
+--- pam.orig/Linux-PAM/modules/pam_limits/pam_limits.c
++++ pam/Linux-PAM/modules/pam_limits/pam_limits.c
+@@ -492,8 +492,6 @@
+     }
+ #undef CONF_FILE
+ 
+-    /* init things */
+-    memset(buf, 0, sizeof(buf));
+     /* start the show */
+     while (fgets(buf, LINE_LENGTH, fil) != NULL) {
+         char domain[LINE_LENGTH];
+@@ -502,46 +500,40 @@
+         char value[LINE_LENGTH];
+         int i;
+         size_t j;
+-        char *tptr;
++        char *tptr,*line;
+ 
+-        tptr = buf;
++        line = buf;
+         /* skip the leading white space */
+-        while (*tptr && isspace(*tptr))
+-            tptr++;
+-        strncpy(buf, tptr, sizeof(buf)-1);
+-	buf[sizeof(buf)-1] = '\0';
++        while (*line && isspace(*line))
++            line++;
+ 
+         /* Rip off the comments */
+-        tptr = strchr(buf,'#');
++        tptr = strchr(line,'#');
+         if (tptr)
+             *tptr = '\0';
+         /* Rip off the newline char */
+-        tptr = strchr(buf,'\n');
++        tptr = strchr(line,'\n');
+         if (tptr)
+             *tptr = '\0';
+         /* Anything left ? */
+-        if (!strlen(buf)) {
+-            memset(buf, 0, sizeof(buf));
++        if (!strlen(line))
+             continue;
+-        }
+ 
+-        memset(domain, 0, sizeof(domain));
+-        memset(ltype, 0, sizeof(ltype));
+-        memset(item, 0, sizeof(item));
+-        memset(value, 0, sizeof(value));
++	domain[0] = ltype[0] = item[0] = value[0] = '\0';
+ 
+-        i = sscanf(buf,"%s%s%s%s", domain, ltype, item, value);
++	i = sscanf(line,"%s%s%s%s", domain, ltype, item, value);
+ 	D(("scanned line[%d]: domain[%s], ltype[%s], item[%s], value[%s]",
+ 	   i, domain, ltype, item, value));
+ 
+         for(j=0; j < strlen(ltype); j++)
+             ltype[j]=tolower(ltype[j]);
+-        for(j=0; j < strlen(item); j++)
+-            item[j]=tolower(item[j]);
+-        for(j=0; j < strlen(value); j++)
+-            value[j]=tolower(value[j]);
+ 
+         if (i == 4) { /* a complete line */
++	    for(j=0; j < strlen(item); j++)
++		item[j]=tolower(item[j]);
++	    for(j=0; j < strlen(value); j++)
++		value[j]=tolower(value[j]);
++
+             if (strcmp(uname, domain) == 0) /* this user have a limit */
+                 process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl);
+             else if (domain[0]=='@' && !pl->root) {
+@@ -587,7 +579,7 @@
+ 		return PAM_IGNORE;
+ 	    }
+         } else {
+-            pam_syslog(pamh, LOG_WARNING, "invalid line '%s' - skipped", buf);
++            pam_syslog(pamh, LOG_WARNING, "invalid line '%s' - skipped", line);
+ 	}
+     }
+     fclose(fil);