diff options
| author | Tobias Stoeckmann <tobias@stoeckmann.org> | 2023-10-12 21:59:15 +0200 |
|---|---|---|
| committer | Tobias Stoeckmann <tobias@stoeckmann.org> | 2023-10-13 06:54:39 +0200 |
| commit | da484d7243a18c5b3a572274d08c9f8f1b7f7b1d (patch) | |
| tree | 7bdb76a26654eb37b2172f2e16b42ece686d7745 /libpam/pam_env.c | |
| parent | 80dc2d410595b5193d32f965185710df27f3984e (diff) | |
| download | pam-da484d7243a18c5b3a572274d08c9f8f1b7f7b1d.tar.gz pam-da484d7243a18c5b3a572274d08c9f8f1b7f7b1d.tar.bz2 pam-da484d7243a18c5b3a572274d08c9f8f1b7f7b1d.zip | |
pam_env: fix handling of huge strings
pam_putenv and pam_getenv do not properly handle strings which are
longer than 2 GB (INT_MAX).
In pam_putenv the l2eq variable could overflow and turn negative,
leading to out of boundary access (after the fact that signed integer
overflow is undefined behavior).
In pam_getenv a very long string could lead to a small int value
so other environment variables could match.
The easiest fix for both is to use size_t.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Diffstat (limited to 'libpam/pam_env.c')
| -rw-r--r-- | libpam/pam_env.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/libpam/pam_env.c b/libpam/pam_env.c index bfeb57ab..002aed62 100644 --- a/libpam/pam_env.c +++ b/libpam/pam_env.c @@ -120,7 +120,7 @@ void _pam_drop_env(pam_handle_t *pamh) */ static int _pam_search_env(const struct pam_environ *env - , const char *name_value, int length) + , const char *name_value, size_t length) { int i; @@ -152,7 +152,8 @@ static int _pam_search_env(const struct pam_environ *env int pam_putenv(pam_handle_t *pamh, const char *name_value) { - int l2eq, item, retval; + size_t l2eq; + int item, retval; D(("called.")); IF_NO_PAMH("pam_putenv", pamh, PAM_ABORT); @@ -167,7 +168,7 @@ int pam_putenv(pam_handle_t *pamh, const char *name_value) */ for (l2eq=0; name_value[l2eq] && name_value[l2eq] != '='; ++l2eq); - if (l2eq <= 0) { + if (l2eq == 0) { pam_syslog(pamh, LOG_ERR, "pam_putenv: bad variable"); return PAM_BAD_ITEM; } |