From 23055e912682326d52c2cbba253b73292e591b46 Mon Sep 17 00:00:00 2001
From: "Dmitry V. Levin" <ldv@altlinux.org>
Date: Sat, 2 May 2020 00:09:48 +0000
Subject: pam_get_user: do not override valid values returned by the
 conversation function

When the conversation function returned a value different from
PAM_CONV_AGAIN and provided no response, pam_get_user used to replace
the return value with PAM_CONV_ERR.  Fix this and replace the return
value only if it was PAM_SUCCESS.

* libpam/pam_item.c (pam_get_user): Do not override valid values
returned by the conversation function.
---
 libpam/pam_item.c | 48 ++++++++++++++++++++++++++----------------------
 1 file changed, 26 insertions(+), 22 deletions(-)

(limited to 'libpam')

diff --git a/libpam/pam_item.c b/libpam/pam_item.c
index 4cca6d9b..d6af710b 100644
--- a/libpam/pam_item.c
+++ b/libpam/pam_item.c
@@ -353,28 +353,32 @@ int pam_get_user(pam_handle_t *pamh, const char **user, const char *prompt)
 	    retval = PAM_CONV_ERR;
     }
 
-    if (retval == PAM_CONV_AGAIN) {
-	/* conversation function is waiting for an event - save state */
-	D(("conversation function is not ready yet"));
-	pamh->former.want_user = PAM_TRUE;
-	pamh->former.prompt = _pam_strdup(use_prompt);
-    } else if (resp == NULL || resp->resp == NULL) {
-	/*
-	 * conversation should have given a response
-	 */
-	D(("pam_get_user: no response provided"));
-	retval = PAM_CONV_ERR;
-	pamh->former.fail_user = retval;
-    } else if (retval == PAM_SUCCESS) {            /* copy the username */
-	/*
-	 * now we set the PAM_USER item -- this was missing from pre.53
-	 * releases. However, reading the Sun manual, it is part of
-	 * the standard API.
-	 */
-	retval = pam_set_item(pamh, PAM_USER, resp->resp);
-	*user = pamh->user;
-    } else
-	pamh->former.fail_user = retval;
+    switch (retval) {
+	case PAM_CONV_AGAIN:
+	    /* conversation function is waiting for an event - save state */
+	    D(("conversation function is not ready yet"));
+	    pamh->former.want_user = PAM_TRUE;
+	    pamh->former.prompt = _pam_strdup(use_prompt);
+	    break;
+	case PAM_SUCCESS:
+	    if (resp != NULL && resp->resp != NULL) {
+		/*
+		 * now we set the PAM_USER item -- this was missing from pre.53
+		 * releases. However, reading the Sun manual, it is part of
+		 * the standard API.
+		 */
+		retval = pam_set_item(pamh, PAM_USER, resp->resp);
+		*user = pamh->user;
+		break;
+	    } else {
+		/* conversation should have given a response */
+		D(("pam_get_user: no response provided"));
+		retval = PAM_CONV_ERR;
+	    }
+	    /* fallthrough */
+	default:
+	    pamh->former.fail_user = retval;
+    }
 
     if (resp) {
 	if (retval != PAM_SUCCESS)
-- 
cgit v1.2.3