From c7daf2606c535ebb2cd14b6e9aaba3c5894222e2 Mon Sep 17 00:00:00 2001
From: "Dmitry V. Levin" <ldv@altlinux.org>
Date: Mon, 18 Feb 2008 13:37:46 +0000
Subject: Relevant BUGIDs:

Purpose of commit: bugfix

Commit summary:
---------------
2008-02-18  Dmitry V. Levin  <ldv@altlinux.org>

	* libpam/pam_handlers.c (_pam_assemble_line): Fix potential
	buffer overflow.
	* xtests/tst-pam_assemble_line.pamd: New test for
	_pam_assemble_line.
	* xtests/tst-pam_assemble_line.sh: New script for
	tst-pam_assemble_line.
	* xtests/Makefile.am (NOSRCTESTS): Add tst-pam_assemble_line.
---
 libpam/pam_handlers.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'libpam/pam_handlers.c')

diff --git a/libpam/pam_handlers.c b/libpam/pam_handlers.c
index 11508145..848c4fa5 100644
--- a/libpam/pam_handlers.c
+++ b/libpam/pam_handlers.c
@@ -511,6 +511,7 @@ int _pam_init_handlers(pam_handle_t *pamh)
 static int _pam_assemble_line(FILE *f, char *buffer, int buf_len)
 {
     char *p = buffer;
+    char *endp = buffer + buf_len;
     char *s, *os;
     int used = 0;
 
@@ -518,12 +519,12 @@ static int _pam_assemble_line(FILE *f, char *buffer, int buf_len)
 
     D(("called."));
     for (;;) {
-	if (used >= buf_len) {
+	if (p >= endp) {
 	    /* Overflow */
 	    D(("_pam_assemble_line: overflow"));
 	    return -1;
 	}
-	if (fgets(p, buf_len - used, f) == NULL) {
+	if (fgets(p, endp - p, f) == NULL) {
 	    if (used) {
 		/* Incomplete read */
 		return -1;
-- 
cgit v1.2.3