pam_env: correctly count leading whitespace when parsing environment file

* modules/pam_env/pam_env.c (_assemble_line): Correctly count leading whitespace. Fixes CVE-2011-3148. Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874469
author: Kees Cook <kees@debian.org> 2011-10-14 19:32:25 +0000
committer: Dmitry V. Levin <ldv@altlinux.org> 2011-10-14 19:32:25 +0000
commit: caf5e7f61c8d9288daa49b4f61962e6b1239121d (patch)
tree: 4eb2a6ea8e8de07a13ccabec4be6691a5da1245e /modules/pam_env/pam_env.c
parent: c5cbe7a04f82ac89372dd2765979aac66188dca1 (diff)
download: pam-caf5e7f61c8d9288daa49b4f61962e6b1239121d.tar.gz
pam-caf5e7f61c8d9288daa49b4f61962e6b1239121d.tar.bz2
pam-caf5e7f61c8d9288daa49b4f61962e6b1239121d.zip
1 files changed, 4 insertions, 1 deletions
diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c
index 1ec01ca5..b7cd387f 100644
--- a/modules/pam_env/pam_env.c
+++ b/modules/pam_env/pam_env.c
@@ -290,6 +290,7 @@ static int _assemble_line(FILE *f, char *buffer, int buf_len)
     char *p = buffer;
     char *s, *os;
     int used = 0;
+    int whitespace;
 
     /* loop broken with a 'break' when a non-'\\n' ended line is read */
 
@@ -312,8 +313,10 @@ static int _assemble_line(FILE *f, char *buffer, int buf_len)
 
 	/* skip leading spaces --- line may be blank */
 
-	s = p + strspn(p, " \n\t");
+	whitespace = strspn(p, " \n\t");
+	s = p + whitespace;
 	if (*s && (*s != '#')) {
+	    used += whitespace;
 	    os = s;
 
 	    /*
author	Kees Cook <kees@debian.org>	2011-10-14 19:32:25 +0000
committer	Dmitry V. Levin <ldv@altlinux.org>	2011-10-14 19:32:25 +0000
commit	caf5e7f61c8d9288daa49b4f61962e6b1239121d (patch)
tree	4eb2a6ea8e8de07a13ccabec4be6691a5da1245e /modules/pam_env/pam_env.c
parent	c5cbe7a04f82ac89372dd2765979aac66188dca1 (diff)
download	pam-caf5e7f61c8d9288daa49b4f61962e6b1239121d.tar.gz pam-caf5e7f61c8d9288daa49b4f61962e6b1239121d.tar.bz2 pam-caf5e7f61c8d9288daa49b4f61962e6b1239121d.zip