bin/118144: [patch] pam_lastlog doesn't check return values in pam_sm_close_session

Oleg Sharoiko os at rsu.ru
Tue Nov 20 00:30:02 PST 2007 

>Number:         118144
>Category:       bin
>Synopsis:       [patch] pam_lastlog doesn't check return values in pam_sm_close_session
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Nov 20 08:30:01 UTC 2007
>Closed-Date:
>Last-Modified:
>Originator:     Oleg Sharoiko
>Release:        FreeBSD 6.2-STABLE i386
>Organization:
>Environment:
System: FreeBSD brain.cc.rsu.ru 6.2-STABLE FreeBSD 6.2-STABLE #0: Tue Sep 18 16:26:09 MSD 2007 os at brain.cc.rsu.ru:/usr/obj/usr/src/sys/brain.i386.RELENG_6.2007-04-14 i386


	
>Description:
	From lib/libpam/modules/pam_lastlog/pam_lastlog.c

PAM_EXTERN int
pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused,
    int argc __unused, const char *argv[] __unused)
{
        const void *tty;

        pam_get_item(pamh, PAM_TTY, (const void **)&tty);
        if (strncmp(tty, _PATH_DEV, strlen(_PATH_DEV)) == 0)
                tty = (const char *)tty + strlen(_PATH_DEV);
        if (*(const char *)tty == '\0')
                return (PAM_SERVICE_ERR);
        if (logout(tty) != 1)
                syslog(LOG_ERR, "%s(): no utmp record for %s",
                    __func__, (const char *)tty);
        logwtmp(tty, "", "");
        return (PAM_SUCCESS);
}

	1. pam_get_item may fail
	2. tty may be NULL resulting in SIGSEGV in strncmp.
>How-To-Repeat:
	
>Fix:

--- pam_lastlog.c.orig	Tue Nov 20 10:05:48 2007
+++ pam_lastlog.c	Tue Nov 20 10:07:07 2007
@@ -170,9 +170,14 @@
 pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused,
     int argc __unused, const char *argv[] __unused)
 {
-        const void *tty;
+        const void *tty = NULL;
+	int pam_err;
 
-        pam_get_item(pamh, PAM_TTY, (const void **)&tty);
+        pam_err = pam_get_item(pamh, PAM_TTY, (const void **)&tty);
+	if (pam_err != PAM_SUCCESS)
+		return (pam_err);
+	if (*tty == NULL)
+		return (PAM_SERVICE_ERR);
 	if (strncmp(tty, _PATH_DEV, strlen(_PATH_DEV)) == 0)
 		tty = (const char *)tty + strlen(_PATH_DEV);
 	if (*(const char *)tty == '\0')

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list