From fe6287140bc4d37e6ef36ca1387ce1403b6dd742 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Fri, 15 Dec 2023 00:01:09 +0100
Subject: pam_namespace: handle huge namespace.conf lines

If a lot of arguments are found in a namespace.conf file, argc might
overflow, which is an undefined behavior.

In most cases, the realloc will instantly fail due to a wrap around.

Protect properly by avoiding the calculation in the first place.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---
 modules/pam_namespace/argv_parse.c | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'modules/pam_namespace')

diff --git a/modules/pam_namespace/argv_parse.c b/modules/pam_namespace/argv_parse.c
index fff93f4c..ac7c9ae0 100644
--- a/modules/pam_namespace/argv_parse.c
+++ b/modules/pam_namespace/argv_parse.c
@@ -28,6 +28,7 @@
  * Version 1.1, modified 2/27/1999
  */
 
+#include <limits.h>
 #include <stdlib.h>
 #include <ctype.h>
 #include <string.h>
@@ -61,6 +62,11 @@ int argv_parse(const char *in_buf, int *ret_argc, char ***ret_argv)
 			/* Not whitespace, so start a new token */
 			state = STATE_TOKEN;
 			if (argc >= max_argc) {
+				if (max_argc >= INT_MAX - 3) {
+					free(argv);
+					free(buf);
+					return -1;
+				}
 				max_argc += 3;
 				new_argv = realloc(argv,
 						  (max_argc+1)*sizeof(char *));
-- 
cgit v1.2.3