From b6faf3c6cbf2f27a1976e462e2ea6fa09f1aad3d Mon Sep 17 00:00:00 2001 From: Tobias Stoeckmann Date: Thu, 4 Jan 2024 18:30:28 +0100 Subject: libpam: handle long delays properly If a delay close to UINT_MAX has been set, then the delay computation might overflow the value due to added randomness. Systems where linux-pam is in use should generally have a 32 bit unsigned int and a 64 bit unsigned long long, and a time_t of either 64 bit or 32 bit. Under these assumptions, using the result for delay is safe because of the division before assigning it to tv_sec (time_t). Thought about using uint64_t type here but as long as "unsigned int" is part of the API instead of uint32_t, no proper guarantees could be made anyway. Unfortunately we have to supply an unsigned int if a PAM_FAIL_DELAY function has been set. In such a case, supply a UINT_MAX if delay is larger than that. It's the best we can do without breaking the API. Signed-off-by: Tobias Stoeckmann --- libpam/pam_delay.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) (limited to 'libpam') diff --git a/libpam/pam_delay.c b/libpam/pam_delay.c index b8fddbb6..67b7d73b 100644 --- a/libpam/pam_delay.c +++ b/libpam/pam_delay.c @@ -14,6 +14,7 @@ */ #include "pam_private.h" +#include #include #include @@ -61,19 +62,21 @@ static unsigned int _pam_rand(unsigned int seed) return N1*seed + N2; } -static unsigned int _pam_compute_delay(unsigned int seed, unsigned int base) +static unsigned long long _pam_compute_delay(unsigned int seed, + unsigned int base) { int i; double sum; - unsigned int ans; + unsigned long long ans; for (sum=i=0; i<3; ++i) { seed = _pam_rand(seed); sum += (double) ((seed / 10) % 1000000); } sum = (sum/3.)/1e6 - .5; /* rescale */ - ans = (unsigned int) ( base*(1.+sum) ); - D(("random number: base=%u -> ans=%u\n", base, ans)); + sum = base*(1.+sum); + ans = sum > (double) ULLONG_MAX ? ULLONG_MAX : (unsigned long long) sum; + D(("random number: base=%u -> ans=%llu\n", base, ans)); return ans; } @@ -88,7 +91,7 @@ static unsigned int _pam_compute_delay(unsigned int seed, unsigned int base) void _pam_await_timer(pam_handle_t *pamh, int status) { - unsigned int delay; + unsigned long long delay; D(("waiting?...")); delay = _pam_compute_delay(pamh->fail_delay.begin, @@ -99,6 +102,7 @@ void _pam_await_timer(pam_handle_t *pamh, int status) void (*fn)(int, unsigned, void *); } hack_fn_u; void *appdata_ptr; + unsigned int delay_uint; if (pamh->pam_conversation) { appdata_ptr = pamh->pam_conversation->appdata_ptr; @@ -106,14 +110,16 @@ void _pam_await_timer(pam_handle_t *pamh, int status) appdata_ptr = NULL; } + delay_uint = delay > UINT_MAX ? UINT_MAX : (unsigned int) delay; + /* always call the applications delay function, even if the delay is zero - indicate status */ hack_fn_u.value = pamh->fail_delay.delay_fn_ptr; - hack_fn_u.fn(status, delay, appdata_ptr); + hack_fn_u.fn(status, delay_uint, appdata_ptr); } else if (status != PAM_SUCCESS && pamh->fail_delay.set) { - D(("will wait %u usec", delay)); + D(("will wait %llu usec", delay)); if (delay > 0) { struct timeval tval; -- cgit v1.2.3