Module Name: src Committed By: christos Date: Fri Feb 7 22:13:35 UTC 2020
Modified Files: src/lib/libpam/modules/pam_krb5: pam_krb5.c Log Message: stop using sprintf and check for buffer overflow. To generate a diff of this commit: cvs rdiff -u -r1.26 -r1.27 src/lib/libpam/modules/pam_krb5/pam_krb5.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/lib/libpam/modules/pam_krb5/pam_krb5.c diff -u src/lib/libpam/modules/pam_krb5/pam_krb5.c:1.26 src/lib/libpam/modules/pam_krb5/pam_krb5.c:1.27 --- src/lib/libpam/modules/pam_krb5/pam_krb5.c:1.26 Sat Dec 28 13:04:03 2013 +++ src/lib/libpam/modules/pam_krb5/pam_krb5.c Fri Feb 7 17:13:35 2020 @@ -1,4 +1,4 @@ -/* $NetBSD: pam_krb5.c,v 1.26 2013/12/28 18:04:03 christos Exp $ */ +/* $NetBSD: pam_krb5.c,v 1.27 2020/02/07 22:13:35 christos Exp $ */ /*- * This pam_krb5 module contains code that is: @@ -53,7 +53,7 @@ #ifdef __FreeBSD__ __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_krb5/pam_krb5.c,v 1.22 2005/01/24 16:49:50 rwatson Exp $"); #else -__RCSID("$NetBSD: pam_krb5.c,v 1.26 2013/12/28 18:04:03 christos Exp $"); +__RCSID("$NetBSD: pam_krb5.c,v 1.27 2020/02/07 22:13:35 christos Exp $"); #endif #include <sys/types.h> @@ -459,6 +459,7 @@ pam_sm_setcred(pam_handle_t *pamh, int f if (!cache_name) goto cleanup3; } else { + size_t len = PATH_MAX + 16; /* Get the cache name */ cache_name = openpam_get_option(pamh, PAM_OPT_CCACHE); if (cache_name == NULL) { @@ -467,7 +468,7 @@ pam_sm_setcred(pam_handle_t *pamh, int f } /* XXX potential overflow */ - cache_name_buf2 = p = calloc(PATH_MAX + 16, sizeof(char)); + cache_name_buf2 = p = calloc(len, sizeof(char)); q = cache_name; if (p == NULL) { @@ -479,27 +480,42 @@ pam_sm_setcred(pam_handle_t *pamh, int f /* convert %u and %p */ while (*q) { + int l; if (*q == '%') { q++; if (*q == 'u') { - sprintf(p, "%d", pwd->pw_uid); - p += strlen(p); + l = snprintf(p, len, "%d", pwd->pw_uid); } else if (*q == 'p') { - sprintf(p, "%d", getpid()); - p += strlen(p); + l = snprintf(p, len, "%d", getpid()); } else { /* Not a special token */ - *p++ = '%'; + if (!len) + goto truncated; + *p = '%'; + l = 1; q--; } + if ((size_t)l > len) { +truncated: PAM_LOG("string truncation failure"); + retval = PAM_BUF_ERR; + goto cleanup3; + } q++; } else { - *p++ = *q++; + if (!len) + goto truncated; + *p = *q++; + l = 1; } + p += l; + len -= (size_t)l; } + if (!len) + goto truncated; + *p = '\0'; } PAM_LOG("Got cache_name: %s", cache_name);