diff options
| author | Tobias Stoeckmann <tobias@stoeckmann.org> | 2023-11-11 13:09:59 +0100 |
|---|---|---|
| committer | Dmitry V. Levin <github.dl@altlinux.org> | 2023-11-13 09:56:11 +0000 |
| commit | bcf20a531ca112e4c5fef77d57ed8eef56a05101 (patch) | |
| tree | 5f9a2e761d78dbc3b94ba4bdf43a1e57ecb858b3 | |
| parent | 71bb66067f979350921a9be58fc534822a15363c (diff) | |
| download | pam-bcf20a531ca112e4c5fef77d57ed8eef56a05101.tar.gz pam-bcf20a531ca112e4c5fef77d57ed8eef56a05101.tar.bz2 pam-bcf20a531ca112e4c5fef77d57ed8eef56a05101.zip | |
pam_echo: avoid heap overflow on huge files
The module might overflow heap on 32 bit systems if a 4 GB file is
supplied as argument.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
| -rw-r--r-- | modules/pam_echo/pam_echo.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/modules/pam_echo/pam_echo.c b/modules/pam_echo/pam_echo.c index 181aeb4c..d05597a2 100644 --- a/modules/pam_echo/pam_echo.c +++ b/modules/pam_echo/pam_echo.c @@ -41,6 +41,7 @@ #include <stdio.h> #include <fcntl.h> #include <string.h> +#include <stdint.h> #include <stdlib.h> #include <unistd.h> #include <limits.h> @@ -182,6 +183,12 @@ pam_echo (pam_handle_t *pamh, int flags, int argc, const char **argv) return PAM_IGNORE; } + if ((uintmax_t) st.st_size >= (uintmax_t) SIZE_MAX) + { + close (fd); + return PAM_BUF_ERR; + } + mtmp = malloc (st.st_size + 1); if (!mtmp) { |