diff options
| author | Tobias Stoeckmann <tobias@stoeckmann.org> | 2023-12-07 18:30:12 +0100 |
|---|---|---|
| committer | Dmitry V. Levin <ldv@strace.io> | 2023-12-07 17:46:54 +0000 |
| commit | d611afcbd52bc13c2455375d5c4fb20839f09f4a (patch) | |
| tree | c5949dd806da39fe92c3f9072ddc1490456d42d3 /modules/pam_unix/support.c | |
| parent | bde5b4c310458db8b3b8f5a15bedded184a2acff (diff) | |
| download | pam-d611afcbd52bc13c2455375d5c4fb20839f09f4a.tar.gz pam-d611afcbd52bc13c2455375d5c4fb20839f09f4a.tar.bz2 pam-d611afcbd52bc13c2455375d5c4fb20839f09f4a.zip | |
pam_unix: handle invalid names in _unix_getpwnam
It is possible to trigger an out of boundary read with very long
usernames (strlen's result is stored in an int) or, with even
longer usernames, match other users with same prefix. This would
mean that roott[and lots of t's following] could match root user.
Also do not allow ':' in names when iterating through the passwd
file this way.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Diffstat (limited to 'modules/pam_unix/support.c')
| -rw-r--r-- | modules/pam_unix/support.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c index cfc3003c..287ec5d9 100644 --- a/modules/pam_unix/support.c +++ b/modules/pam_unix/support.c @@ -321,11 +321,12 @@ int _unix_getpwnam(pam_handle_t *pamh, const char *name, char buf[16384]; int matched = 0, buflen; char *slogin, *spasswd, *suid, *sgid, *sgecos, *shome, *sshell, *p; + size_t userlen; memset(buf, 0, sizeof(buf)); - if (!matched && files) { - int userlen = strlen(name); + userlen = strlen(name); + if (!matched && files && userlen < sizeof(buf) && strchr(name, ':') == NULL) { passwd = fopen("/etc/passwd", "r"); if (passwd != NULL) { while (fgets(buf, sizeof(buf), passwd) != NULL) { |