From 3c61d2f6f9843dc54c13a3c6b023563c041feaa4 Mon Sep 17 00:00:00 2001 From: Tobias Stoeckmann Date: Tue, 12 Dec 2023 09:40:20 +0100 Subject: libpam: support very long strings in _pam_mkargv This support has to be added before arbitrarily long lines are allowed in configuration files. Signed-off-by: Tobias Stoeckmann --- libpam/pam_misc.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) (limited to 'libpam/pam_misc.c') diff --git a/libpam/pam_misc.c b/libpam/pam_misc.c index a334f0f8..c91aa693 100644 --- a/libpam/pam_misc.c +++ b/libpam/pam_misc.c @@ -40,6 +40,7 @@ #include #include #include +#include #include #include #include @@ -150,10 +151,10 @@ char *_pam_memdup(const char *x, int len) /* Generate argv, argc from s */ /* caller must free(argv) */ -int _pam_mkargv(const char *s, char ***argv, int *argc) +size_t _pam_mkargv(const char *s, char ***argv, int *argc) { - int l; - int argvlen = 0; + size_t l; + size_t argvlen = 0; char **our_argv = NULL; D(("called: %s",s)); @@ -161,7 +162,7 @@ int _pam_mkargv(const char *s, char ***argv, int *argc) *argc = 0; l = strlen(s); - if (l) { + if (l && l < SIZE_MAX / (sizeof(char) + sizeof(char *))) { char **argvbuf; /* Overkill on the malloc, but not large */ argvlen = (l + 1) * (sizeof(char) + sizeof(char *)); @@ -173,15 +174,22 @@ int _pam_mkargv(const char *s, char ***argv, int *argc) char *tmp=NULL; char *tok; #ifdef PAM_DEBUG - int count=0; + unsigned count=0; #endif argvbufp = (char *) argvbuf + (l * sizeof(char *)); strcpy(argvbufp, s); D(("[%s]",argvbufp)); while ((tok = _pam_tokenize(argvbufp, &tmp))) { - D(("arg #%d",++count)); + D(("arg #%u",++count)); D(("->[%s]",tok)); *argvbuf++ = tok; + if (*argc == INT_MAX) { + pam_syslog(NULL, LOG_CRIT, + "pam_mkargv: too many arguments"); + argvlen = 0; + _pam_drop(our_argv); + break; + } (*argc)++; argvbufp = NULL; D(("loop again?")); -- cgit v1.2.3