From 9082c6c2754b72b2146c6e6e3011b4920a491b3f Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Mon, 4 Dec 2023 22:33:19 +0100
Subject: libpam: check for INT_MAX limit in ioloop

The size arguments to pam_modutil_read and pam_modutil_write are of
type int. If a negative value is specified, fail with -1 instead of
returning 0, indicating "just" a short read or write.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---
 libpam/pam_modutil_ioloop.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'libpam')

diff --git a/libpam/pam_modutil_ioloop.c b/libpam/pam_modutil_ioloop.c
index 9b73ed75..72b58455 100644
--- a/libpam/pam_modutil_ioloop.c
+++ b/libpam/pam_modutil_ioloop.c
@@ -15,6 +15,11 @@ pam_modutil_read(int fd, char *buffer, int count)
 {
        int block, offset = 0;
 
+       if (count < 0) {
+               errno = EINVAL;
+               return -1;
+       }
+
        while (count > 0) {
                block = read(fd, &buffer[offset], count);
 
@@ -36,6 +41,11 @@ pam_modutil_write(int fd, const char *buffer, int count)
 {
        int block, offset = 0;
 
+       if (count < 0) {
+               errno = EINVAL;
+               return -1;
+       }
+
        while (count > 0) {
                block = write(fd, &buffer[offset], count);
 
-- 
cgit v1.2.3