From 353aa13b9c81beb4ba7f02ae57b0722de6a4d565 Mon Sep 17 00:00:00 2001 From: Tobias Stoeckmann Date: Tue, 2 Jan 2024 18:34:45 +0100 Subject: pam_namespace: validate amount of uids in config If more than INT_MAX uids are found in a configuration line, the variable `count` would trigger a signed integer overflow. If more than UINT_MAX uids are found in a configuration line, then the `num_uids` counter is invalid, which could eventually lead to out of boundary accesses. Also make sure that size multiplication for malloc does not overflow. Signed-off-by: Tobias Stoeckmann --- modules/pam_namespace/pam_namespace.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'modules') diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c index 92372ab4..09d19ca0 100644 --- a/modules/pam_namespace/pam_namespace.c +++ b/modules/pam_namespace/pam_namespace.c @@ -637,7 +637,7 @@ static int process_line(char *line, const char *home, const char *rhome, if (uids) { uid_t *uidptr; const char *ustr, *sstr; - int count, i; + size_t count, i; if (*uids == '~') { poly->flags |= POLYDIR_EXCLUSIVE; @@ -646,6 +646,11 @@ static int process_line(char *line, const char *home, const char *rhome, for (count = 0, ustr = sstr = uids; sstr; ustr = sstr + 1, count++) sstr = strchr(ustr, ','); + if (count > UINT_MAX || count > SIZE_MAX / sizeof(uid_t)) { + pam_syslog(idata->pamh, LOG_ERR, "Too many uids encountered in configuration"); + goto skipping; + } + poly->num_uids = count; poly->uid = malloc(count * sizeof (uid_t)); uidptr = poly->uid; -- cgit v1.2.3