diff options
| author | Tobias Stoeckmann <tobias@stoeckmann.org> | 2024-01-08 21:59:23 +0100 |
|---|---|---|
| committer | Dmitry V. Levin <ldv@strace.io> | 2024-01-08 20:59:23 +0000 |
| commit | d3b8c0723d0d691585474b0e14982f62b115a672 (patch) | |
| tree | d4df48013789e7119a68abea216911f080525f6f /modules/pam_unix/passverify.c | |
| parent | 92a85b74250bb146dcbd17966b88086047048620 (diff) | |
| download | pam-d3b8c0723d0d691585474b0e14982f62b115a672.tar.gz pam-d3b8c0723d0d691585474b0e14982f62b115a672.tar.bz2 pam-d3b8c0723d0d691585474b0e14982f62b115a672.zip | |
pam_unix: do not truncate user names
This could allow users with very long names to impersonate a user
with a 255 characters long name.
The check if the argument argv[1] actually matches the user name
implies that "user" can unconditionally be set to argv[1]: If they are
equal, the strings are obviously equal. If they are not or if null is
returned by getuidname, "user" is set to argv[1] anyway.
This way, the static buffer can be safely removed because the result
of getpwuid() is not stored, which means that subsequent calls to
such functions can safely overwrite their internal buffers.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Diffstat (limited to 'modules/pam_unix/passverify.c')
| -rw-r--r-- | modules/pam_unix/passverify.c | 6 |
1 files changed, 1 insertions, 5 deletions
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c index c48e3c5a..c6515a65 100644 --- a/modules/pam_unix/passverify.c +++ b/modules/pam_unix/passverify.c @@ -1190,16 +1190,12 @@ char * getuidname(uid_t uid) { struct passwd *pw; - static char username[256]; pw = getpwuid(uid); if (pw == NULL) return NULL; - strncpy(username, pw->pw_name, sizeof(username)); - username[sizeof(username) - 1] = '\0'; - - return username; + return pw->pw_name; } #endif |