From c2c601f5340a59c5c62193d55b555d384380ea38 Mon Sep 17 00:00:00 2001
From: "Dmitry V. Levin" <ldv@altlinux.org>
Date: Sat, 2 May 2020 00:09:48 +0000
Subject: pam_get_user: filter conversation function return values

Do not assume that the conversation function provided by the application
strictly follows the return values guidelines, replace undocumented
return values with PAM_CONV_ERR.

* libpam/pam_item.c (pam_get_user): If the value returned by the
conversation function is not one of PAM_SUCCESS, PAM_BUF_ERR,
PAM_CONV_AGAIN, or PAM_CONV_ERR, replace it with PAM_CONV_ERR.
---
 libpam/pam_item.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/libpam/pam_item.c b/libpam/pam_item.c
index 36298ce0..4cca6d9b 100644
--- a/libpam/pam_item.c
+++ b/libpam/pam_item.c
@@ -343,6 +343,16 @@ int pam_get_user(pam_handle_t *pamh, const char **user, const char *prompt)
     retval = pamh->pam_conversation->
 	conv(1, &pmsg, &resp, pamh->pam_conversation->appdata_ptr);
 
+    switch (retval) {
+	case PAM_SUCCESS:
+	case PAM_BUF_ERR:
+	case PAM_CONV_AGAIN:
+	case PAM_CONV_ERR:
+	    break;
+	default:
+	    retval = PAM_CONV_ERR;
+    }
+
     if (retval == PAM_CONV_AGAIN) {
 	/* conversation function is waiting for an event - save state */
 	D(("conversation function is not ready yet"));
-- 
cgit v1.2.3