From 43bdb7ce04c9cb00bdf0f5dda818b077b9dc7c56 Mon Sep 17 00:00:00 2001 From: Andrey Kovalev Date: Fri, 18 Oct 2024 10:25:17 +0300 Subject: pam_get_authtok*: disallow setting pamh to NULL This also prevents a potential NULL pointer dereference in pam_get_authtok_internal and pam_get_authtok_verify when the pamh argument they access is set to NULL. --- tests/Makefile.am | 2 +- tests/meson.build | 1 + tests/tst-pam_get_authtok.c | 51 +++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 tests/tst-pam_get_authtok.c (limited to 'tests') diff --git a/tests/Makefile.am b/tests/Makefile.am index d7462dea..7fb662e5 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -13,7 +13,7 @@ TESTS = tst-pam_start tst-pam_end tst-pam_fail_delay tst-pam_open_session \ tst-pam_close_session tst-pam_acct_mgmt tst-pam_authenticate \ tst-pam_chauthtok tst-pam_setcred tst-pam_get_item tst-pam_set_item \ tst-pam_getenvlist tst-pam_get_user tst-pam_get_data tst-pam_set_data \ - tst-pam_mkargv tst-pam_start_confdir + tst-pam_mkargv tst-pam_start_confdir tst-pam_get_authtok EXTRA_DIST = confdir diff --git a/tests/meson.build b/tests/meson.build index 4d37e450..21811b1f 100644 --- a/tests/meson.build +++ b/tests/meson.build @@ -8,6 +8,7 @@ foreach name: ['dlopen', 'pam_authenticate', 'pam_chauthtok', 'pam_setcred', + 'pam_get_authtok', 'pam_get_item', 'pam_set_item', 'pam_getenvlist', diff --git a/tests/tst-pam_get_authtok.c b/tests/tst-pam_get_authtok.c new file mode 100644 index 00000000..ffda5968 --- /dev/null +++ b/tests/tst-pam_get_authtok.c @@ -0,0 +1,51 @@ +/* + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "test_assert.h" +#include +#include + +int +main (void) +{ + const char *authtok = "test"; + const char *prompt = "test"; + + /* 1: Call pam_get_authtok_verify with NULL as pam handle */ + ASSERT_EQ(PAM_SYSTEM_ERR, pam_get_authtok_verify (NULL, &authtok, prompt)); + + /* 2: Call pam_get_authtok with NULL as pam handle */ + ASSERT_EQ(PAM_SYSTEM_ERR, pam_get_authtok (NULL, 0, &authtok, prompt)); + + return 0; +} -- cgit v1.2.3