From 109823cb621c900c07c4b6cdc99070d354d19444 Mon Sep 17 00:00:00 2001
From: Kees Cook <kees@debian.org>
Date: Fri, 14 Oct 2011 19:47:23 +0000
Subject: pam_env: abort when encountering an overflowed environment variable
 expansion

* modules/pam_env/pam_env.c (_expand_arg): Abort when encountering an
overflowed environment variable expansion.
Fixes CVE-2011-3149.
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/874565
---
 modules/pam_env/pam_env.c | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'modules/pam_env/pam_env.c')

diff --git a/modules/pam_env/pam_env.c b/modules/pam_env/pam_env.c
index b7cd387f..e04f5b53 100644
--- a/modules/pam_env/pam_env.c
+++ b/modules/pam_env/pam_env.c
@@ -570,6 +570,7 @@ static int _expand_arg(pam_handle_t *pamh, char **value)
 	D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr));
 	pam_syslog (pamh, LOG_ERR, "Variable buffer overflow: <%s> + <%s>",
 		 tmp, tmpptr);
+	return PAM_BUF_ERR;
       }
       continue;
     }
@@ -631,6 +632,7 @@ static int _expand_arg(pam_handle_t *pamh, char **value)
 	    D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr));
 	    pam_syslog (pamh, LOG_ERR,
 			"Variable buffer overflow: <%s> + <%s>", tmp, tmpptr);
+	    return PAM_BUF_ERR;
 	  }
 	}
       }           /* if ('{' != *orig++) */
@@ -642,6 +644,7 @@ static int _expand_arg(pam_handle_t *pamh, char **value)
 	D(("Variable buffer overflow: <%s> + <%s>", tmp, tmpptr));
 	pam_syslog(pamh, LOG_ERR,
 		   "Variable buffer overflow: <%s> + <%s>", tmp, tmpptr);
+	return PAM_BUF_ERR;
       }
     }
   }              /* for (;*orig;) */
-- 
cgit v1.2.3