diff options
| author | Shaleen Bathla <shaleen.bathla@oracle.com> | 2024-03-04 12:53:44 +0530 |
|---|---|---|
| committer | Dmitry V. Levin <ldv@strace.io> | 2024-03-04 09:01:16 +0000 |
| commit | db25d975c804bbe5b86cb61b77723e040331bd16 (patch) | |
| tree | 3b99d95d39fe6d18d913bd96b842ff604bae7ae6 | |
| parent | f4e016bb697b7807dda2534e2a0d23c8b44de52f (diff) | |
| download | pam-db25d975c804bbe5b86cb61b77723e040331bd16.tar.gz pam-db25d975c804bbe5b86cb61b77723e040331bd16.tar.bz2 pam-db25d975c804bbe5b86cb61b77723e040331bd16.zip | |
pam_limits: fix potential use-after-free of pl->conf_file
When limits.d is processed, pl->conf_file consequently points to
elements of filename_list array which are freed later even though
it can still be used in the logging.
Signed-off-by: Shaleen Bathla <shaleen.bathla@oracle.com>
Co-authored-by: Dmitry V. Levin <ldv@strace.io>
Fixes: f6b973b92281 ("Add support for limits.d directory to pam_limits")
| -rw-r--r-- | modules/pam_limits/pam_limits.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c index 59cd1f3c..51276265 100644 --- a/modules/pam_limits/pam_limits.c +++ b/modules/pam_limits/pam_limits.c @@ -1255,6 +1255,7 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, int ctrl; struct pam_limit_s plstruct; struct pam_limit_s *pl = &plstruct; + char *free_filename = NULL; D(("called.")); @@ -1315,13 +1316,18 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, if (retval != PAM_SUCCESS) break; } - for (i = 0; filename_list[i] != NULL; i++) - free(filename_list[i]); + for (i = 0; filename_list[i] != NULL; i++) { + if (filename_list[i] == pl->conf_file) + free_filename = filename_list[i]; + else + free(filename_list[i]); + } free(filename_list); } if (retval == PAM_IGNORE) { D(("the configuration file ('%s') has an applicable '<domain> -' entry", pl->conf_file)); + free(free_filename); free(pl->login_group); return PAM_SUCCESS; } @@ -1330,11 +1336,13 @@ out: if (retval != PAM_SUCCESS) { pam_syslog(pamh, LOG_ERR, "error parsing the configuration file: '%s' ", pl->conf_file); + free(free_filename); free(pl->login_group); return retval; } retval = setup_limits(pamh, pwd->pw_name, pwd->pw_uid, ctrl, pl); + free(free_filename); free(pl->login_group); if (retval & LOGIN_ERR) pam_error(pamh, _("There were too many logins for '%s'."), |