bin/118144: [patch] pam_lastlog doesn't check return values in
pam_sm_close_session
Oleg Sharoiko
os at rsu.ru
Tue Nov 20 00:30:02 PST 2007
>Number: 118144
>Category: bin
>Synopsis: [patch] pam_lastlog doesn't check return values in pam_sm_close_session
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Nov 20 08:30:01 UTC 2007
>Closed-Date:
>Last-Modified:
>Originator: Oleg Sharoiko
>Release: FreeBSD 6.2-STABLE i386
>Organization:
>Environment:
System: FreeBSD brain.cc.rsu.ru 6.2-STABLE FreeBSD 6.2-STABLE #0: Tue Sep 18 16:26:09 MSD 2007 os at brain.cc.rsu.ru:/usr/obj/usr/src/sys/brain.i386.RELENG_6.2007-04-14 i386
>Description:
From lib/libpam/modules/pam_lastlog/pam_lastlog.c
PAM_EXTERN int
pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused,
int argc __unused, const char *argv[] __unused)
{
const void *tty;
pam_get_item(pamh, PAM_TTY, (const void **)&tty);
if (strncmp(tty, _PATH_DEV, strlen(_PATH_DEV)) == 0)
tty = (const char *)tty + strlen(_PATH_DEV);
if (*(const char *)tty == '\0')
return (PAM_SERVICE_ERR);
if (logout(tty) != 1)
syslog(LOG_ERR, "%s(): no utmp record for %s",
__func__, (const char *)tty);
logwtmp(tty, "", "");
return (PAM_SUCCESS);
}
1. pam_get_item may fail
2. tty may be NULL resulting in SIGSEGV in strncmp.
>How-To-Repeat:
>Fix:
--- pam_lastlog.c.orig Tue Nov 20 10:05:48 2007
+++ pam_lastlog.c Tue Nov 20 10:07:07 2007
@@ -170,9 +170,14 @@
pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused,
int argc __unused, const char *argv[] __unused)
{
- const void *tty;
+ const void *tty = NULL;
+ int pam_err;
- pam_get_item(pamh, PAM_TTY, (const void **)&tty);
+ pam_err = pam_get_item(pamh, PAM_TTY, (const void **)&tty);
+ if (pam_err != PAM_SUCCESS)
+ return (pam_err);
+ if (*tty == NULL)
+ return (PAM_SERVICE_ERR);
if (strncmp(tty, _PATH_DEV, strlen(_PATH_DEV)) == 0)
tty = (const char *)tty + strlen(_PATH_DEV);
if (*(const char *)tty == '\0')
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list