diff options
| author | Tobias Stoeckmann <tobias@stoeckmann.org> | 2023-11-10 20:25:14 +0100 |
|---|---|---|
| committer | Tobias Stoeckmann <tobias@stoeckmann.org> | 2023-11-10 20:25:14 +0100 |
| commit | bfd2a786edc79d7ae4b49ca04e32181c382d5cef (patch) | |
| tree | 3b15dac4e7147e626a3b44f201bd46424f714113 /libpam/pam_misc.c | |
| parent | d6103b30050554d7b6ca6d55cb5b4ed3c9516663 (diff) | |
| download | pam-bfd2a786edc79d7ae4b49ca04e32181c382d5cef.tar.gz pam-bfd2a786edc79d7ae4b49ca04e32181c382d5cef.tar.bz2 pam-bfd2a786edc79d7ae4b49ca04e32181c382d5cef.zip | |
libpam: fix possible heap overflow in _pam_strdup
It is possible to trigger an integer overflow in _pam_strdup
if the passed string is longer than INT_MAX, which could lead
to a smaller memory allocation than needed for the strcpy call.
This in turn could lead to a heap overflow.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Diffstat (limited to 'libpam/pam_misc.c')
| -rw-r--r-- | libpam/pam_misc.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/libpam/pam_misc.c b/libpam/pam_misc.c index 449490c9..29147ce1 100644 --- a/libpam/pam_misc.c +++ b/libpam/pam_misc.c @@ -123,7 +123,7 @@ char *_pam_strdup(const char *x) register char *new=NULL; if (x != NULL) { - register int len; + register size_t len; len = strlen (x) + 1; /* length of string including NUL */ if ((new = malloc(len)) == NULL) { |