From c3d2861800f9af0723e18609ae9852951453d65c Mon Sep 17 00:00:00 2001 From: Matthias Gerstner Date: Wed, 27 Dec 2023 13:29:26 +0100 Subject: pam_namespace: fix double-free on parse error in namespace.conf If a line in namespace.conf only consists of one field then the error handling logic in process_line() ends up in a double-free, resulting in a process abort in libc. It looks like instead of NULLing the `dir` variable, the `instance_prefix` is NULLed, without purpose. Fix this. --- modules/pam_namespace/pam_namespace.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'modules') diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c index 1c42b0f4..b7cdcfa4 100644 --- a/modules/pam_namespace/pam_namespace.c +++ b/modules/pam_namespace/pam_namespace.c @@ -529,7 +529,7 @@ static int process_line(char *line, const char *home, const char *rhome, instance_prefix = config_options[1]; if (instance_prefix == NULL) { pam_syslog(idata->pamh, LOG_NOTICE, "Invalid line missing instance_prefix"); - instance_prefix = NULL; + dir = NULL; goto skipping; } method = config_options[2]; -- cgit v1.2.3