[Bug 272226] libpam's openpam_set_option() omits decrement of cur->optc, can lead to NULL dereference

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 272226] libpam's openpam_set_option() omits decrement of cur->optc, can lead to NULL dereference"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 26 Jun 2023 17:20:10 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272226

            Bug ID: 272226
           Summary: libpam's openpam_set_option() omits decrement of
                    cur->optc, can lead to NULL dereference
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

The code in libpam's openpam_set_option() that removes an option:

        if (value == NULL) {
                /* remove */
                if (i == cur->optc)
                        RETURNC(PAM_SUCCESS);
                for (free(cur->optv[i]); i < cur->optc; ++i)
                        cur->optv[i] = cur->optv[i + 1];
                cur->optv[i] = NULL;
                RETURNC(PAM_SUCCESS);
        }

It's missing a final "cur->optc -= 1", which can cause a subsequent
openpam_get_option() to crash when it runs off the end of cur->optv[]
and passes the terminal NULL to strncmp().

-- 
You are receiving this mail because:
You are the assignee for the bug.