From 5f0b5b2def617c50034422c5bc112509d7f5652e Mon Sep 17 00:00:00 2001 From: Keith Turner - C72473 Date: Fri, 6 Sep 2024 10:45:37 -0700 Subject: pam_userdb: don't overwrite free'd memory As crypt_r is expected to return a pointer into a provided crypt_data struct, callers should not modify the string returned by crypt_r after freeing the corresponding crypt_data struct. Co-authored-by: Dmitry V. Levin --- modules/pam_userdb/pam_userdb.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) (limited to 'modules/pam_userdb') diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c index 40ede6de..e5942c8a 100644 --- a/modules/pam_userdb/pam_userdb.c +++ b/modules/pam_userdb/pam_userdb.c @@ -268,11 +268,6 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode, } if (cryptmode && pam_str_skip_icase_prefix(cryptmode, "crypt") != NULL) { - - /* crypt(3) password storage */ - - char *cryptpw = NULL; - if (data.dsize < 13) { /* hash is too short */ pam_syslog(pamh, LOG_INFO, "password hash in database is too short"); @@ -286,6 +281,7 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode, if (pwhash == NULL) { pam_syslog(pamh, LOG_CRIT, "strndup failed: data.dptr"); } else { + char *cryptpw = NULL; #ifdef HAVE_CRYPT_R struct crypt_data *cdata = NULL; cdata = calloc(1, sizeof(*cdata)); @@ -312,13 +308,13 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode, #ifdef HAVE_CRYPT_R pam_overwrite_object(cdata); free(cdata); +#else + pam_overwrite_string(cryptpw); #endif } pam_overwrite_string(pwhash); free(pwhash); } - - pam_overwrite_string(cryptpw); } else { /* Unknown password encryption method - -- cgit v1.2.3