From 40d87993dfbaf098f4b266e4f373d01dbd216314 Mon Sep 17 00:00:00 2001 From: Tobias Stoeckmann Date: Mon, 4 Dec 2023 22:23:57 +0100 Subject: pam_echo: handle short reads If the file parsed by pam_echo is larger than INT_MAX, then it is possible that uninitialized memory is printed on screen. The return value of pam_modutil_read is not negative if the size argument (casted to an int) is negative. Instead 0 is returned. This can also happen with any other file if a short read is triggered. Check if file is fully parsed or not. Signed-off-by: Tobias Stoeckmann --- modules/pam_echo/pam_echo.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'modules/pam_echo') diff --git a/modules/pam_echo/pam_echo.c b/modules/pam_echo/pam_echo.c index d05597a2..6a7c2f64 100644 --- a/modules/pam_echo/pam_echo.c +++ b/modules/pam_echo/pam_echo.c @@ -183,7 +183,7 @@ pam_echo (pam_handle_t *pamh, int flags, int argc, const char **argv) return PAM_IGNORE; } - if ((uintmax_t) st.st_size >= (uintmax_t) SIZE_MAX) + if ((uintmax_t) st.st_size > (uintmax_t) INT_MAX) { close (fd); return PAM_BUF_ERR; @@ -196,7 +196,7 @@ pam_echo (pam_handle_t *pamh, int flags, int argc, const char **argv) return PAM_BUF_ERR; } - if (pam_modutil_read (fd, mtmp, st.st_size) == -1) + if (pam_modutil_read (fd, mtmp, st.st_size) != st.st_size) { pam_syslog (pamh, LOG_ERR, "Error while reading %s: %m", file); free (mtmp); -- cgit v1.2.3