diff options
| author | Tobias Stoeckmann <tobias@stoeckmann.org> | 2023-12-15 00:01:09 +0100 |
|---|---|---|
| committer | Dmitry V. Levin <ldv@strace.io> | 2023-12-18 09:10:08 +0000 |
| commit | fe6287140bc4d37e6ef36ca1387ce1403b6dd742 (patch) | |
| tree | 47a1b35902f0c881ba1b636dd5d1ad84adfd7e6b | |
| parent | e07917e98ca1303c4329f3d556e2ea402720a0bb (diff) | |
| download | pam-fe6287140bc4d37e6ef36ca1387ce1403b6dd742.tar.gz pam-fe6287140bc4d37e6ef36ca1387ce1403b6dd742.tar.bz2 pam-fe6287140bc4d37e6ef36ca1387ce1403b6dd742.zip | |
pam_namespace: handle huge namespace.conf lines
If a lot of arguments are found in a namespace.conf file, argc might
overflow, which is an undefined behavior.
In most cases, the realloc will instantly fail due to a wrap around.
Protect properly by avoiding the calculation in the first place.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
| -rw-r--r-- | modules/pam_namespace/argv_parse.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/modules/pam_namespace/argv_parse.c b/modules/pam_namespace/argv_parse.c index fff93f4c..ac7c9ae0 100644 --- a/modules/pam_namespace/argv_parse.c +++ b/modules/pam_namespace/argv_parse.c @@ -28,6 +28,7 @@ * Version 1.1, modified 2/27/1999 */ +#include <limits.h> #include <stdlib.h> #include <ctype.h> #include <string.h> @@ -61,6 +62,11 @@ int argv_parse(const char *in_buf, int *ret_argc, char ***ret_argv) /* Not whitespace, so start a new token */ state = STATE_TOKEN; if (argc >= max_argc) { + if (max_argc >= INT_MAX - 3) { + free(argv); + free(buf); + return -1; + } max_argc += 3; new_argv = realloc(argv, (max_argc+1)*sizeof(char *)); |