From bcf20a531ca112e4c5fef77d57ed8eef56a05101 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Sat, 11 Nov 2023 13:09:59 +0100
Subject: pam_echo: avoid heap overflow on huge files

The module might overflow heap on 32 bit systems if a 4 GB file is
supplied as argument.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---
 modules/pam_echo/pam_echo.c | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'modules/pam_echo')

diff --git a/modules/pam_echo/pam_echo.c b/modules/pam_echo/pam_echo.c
index 181aeb4c..d05597a2 100644
--- a/modules/pam_echo/pam_echo.c
+++ b/modules/pam_echo/pam_echo.c
@@ -41,6 +41,7 @@
 #include <stdio.h>
 #include <fcntl.h>
 #include <string.h>
+#include <stdint.h>
 #include <stdlib.h>
 #include <unistd.h>
 #include <limits.h>
@@ -182,6 +183,12 @@ pam_echo (pam_handle_t *pamh, int flags, int argc, const char **argv)
 	  return PAM_IGNORE;
 	}
 
+      if ((uintmax_t) st.st_size >= (uintmax_t) SIZE_MAX)
+	{
+	  close (fd);
+	  return PAM_BUF_ERR;
+	}
+
       mtmp = malloc (st.st_size + 1);
       if (!mtmp)
 	{
-- 
cgit v1.2.3