From cb13aa40cb4ea0c8f1d12d79cbf9ed94828c837f Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Sat, 11 Nov 2023 13:58:06 +0100
Subject: libpam: fix integer overflow when parsing configs

It is possible to trigger a signed integer overflow when parsing
jump numbers for pam return types.

Fail if the number becomes too large.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---
 libpam/pam_misc.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

(limited to 'libpam/pam_misc.c')

diff --git a/libpam/pam_misc.c b/libpam/pam_misc.c
index 4c53451f..22b613e1 100644
--- a/libpam/pam_misc.c
+++ b/libpam/pam_misc.c
@@ -37,6 +37,7 @@
 
 #include "pam_private.h"
 
+#include <limits.h>
 #include <stdarg.h>
 #include <stdlib.h>
 #include <stdio.h>
@@ -329,8 +330,17 @@ void _pam_parse_control(int *control_array, char *tok)
 	    /* parse a number */
 	    act = 0;
 	    do {
+		int digit = *tok - '0';
+		if (act > INT_MAX / 10) {
+		    error = "expecting smaller jump number";
+		    goto parse_error;
+		}
 		act *= 10;
-		act += *tok - '0';      /* XXX - this assumes ascii behavior */
+		if (act > INT_MAX - digit) {
+		    error = "expecting smaller jump number";
+		    goto parse_error;
+		}
+		act += digit;      /* XXX - this assumes ascii behavior */
 	    } while (*++tok && isdigit((unsigned char)*tok));
 	    if (! act) {
 		/* we do not allow 0 jumps.  There is a token ('ignore')
-- 
cgit v1.2.3