pam_echo: handle short reads

If the file parsed by pam_echo is larger than INT_MAX, then it is
possible that uninitialized memory is printed on screen.

The return value of pam_modutil_read is not negative if the size
argument (casted to an int) is negative. Instead 0 is returned.

This can also happen with any other file if a short read is triggered.

Check if file is fully parsed or not.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>

1 files changed, 2 insertions, 2 deletions

diff --git a/modules/pam_echo/pam_echo.c b/modules/pam_echo/pam_echo.c
index d05597a2..6a7c2f64 100644
--- a/modules/pam_echo/pam_echo.c
+++ b/modules/pam_echo/pam_echo.c
@@ -183,7 +183,7 @@ pam_echo (pam_handle_t *pamh, int flags, int argc, const char **argv)
 	  return PAM_IGNORE;
 	}
 
-      if ((uintmax_t) st.st_size >= (uintmax_t) SIZE_MAX)
+      if ((uintmax_t) st.st_size > (uintmax_t) INT_MAX)
 	{
 	  close (fd);
 	  return PAM_BUF_ERR;
@@ -196,7 +196,7 @@ pam_echo (pam_handle_t *pamh, int flags, int argc, const char **argv)
 	  return PAM_BUF_ERR;
 	}
 
-      if (pam_modutil_read (fd, mtmp, st.st_size) == -1)
+      if (pam_modutil_read (fd, mtmp, st.st_size) != st.st_size)
 	{
 	  pam_syslog (pamh, LOG_ERR, "Error while reading %s: %m", file);
 	  free (mtmp);