Date: Wed, 3 Apr 2002 01:01:17 +0900 (JST) From: Takanori Saneto <sanewo@ba2.so-net.ne.jp> To: FreeBSD-gnats-submit@FreeBSD.org Cc: des@ofug.org Subject: bin/36658: libpam bugs cause xdm+pam_ssh crash on -CURRENT Message-ID: <200204021601.g32G1HgJ053242@muse.sanewo.dyn.to>
next in thread | raw e-mail | index | archive | help
>Number: 36658
>Category: bin
>Synopsis: libpam bugs cause xdm+pam_ssh crash on -CURRENT
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Apr 02 08:10:02 PST 2002
>Closed-Date:
>Last-Modified:
>Originator: Takanori Saneto
>Release: FreeBSD 5.0-CURRENT i386
>Organization:
an individual
>Environment:
System: FreeBSD muse.sanewo.dyn.to 5.0-CURRENT FreeBSD 5.0-CURRENT #0: Sat Mar 30 03:32:57 JST 2002 sanewo@muse.sanewo.dyn.to:/export/usr/obj/usr/src/sys/MUSE i386
5.0-CURRENT as of today, XFree86 4.2.99.1 as of 2002/Jan
>Description:
Couple of bugs in libpam (pam_putenv and pam_set_data) cause xdm core dump.
In pam_putenv, size of env arrary was growing in bytes instead of sizeof(char *).
In pam_set_data, incorrect pointer was free()ed and passed data was not set at all.
>How-To-Repeat:
Enable pam_ssh in /etc/pam.d/xdm and try to login via xdm.
>Fix:
Following patch should fix the problem.
Index: pam_putenv.c
===================================================================
RCS file: /export/cvsup/cvs/src/contrib/openpam/lib/pam_putenv.c,v
retrieving revision 1.1.1.4
diff -u -r1.1.1.4 pam_putenv.c
--- pam_putenv.c 14 Mar 2002 20:42:06 -0000 1.1.1.4
+++ pam_putenv.c 2 Apr 2002 15:37:13 -0000
@@ -73,7 +73,7 @@
/* grow the environment list if necessary */
if (pamh->env_count == pamh->env_size) {
- env = realloc(pamh->env, pamh->env_size * 2 + 1);
+ env = realloc(pamh->env, sizeof(char *) * (pamh->env_size * 2 + 1));
if (env == NULL)
return (PAM_BUF_ERR);
pamh->env = env;
Index: pam_set_data.c
===================================================================
RCS file: /export/cvsup/cvs/src/contrib/openpam/lib/pam_set_data.c,v
retrieving revision 1.1.1.4
diff -u -r1.1.1.4 pam_set_data.c
--- pam_set_data.c 14 Mar 2002 20:42:06 -0000 1.1.1.4
+++ pam_set_data.c 2 Apr 2002 14:53:39 -0000
@@ -74,11 +74,12 @@
if ((dp = malloc(sizeof *dp)) == NULL)
return (PAM_BUF_ERR);
if ((dp->name = strdup(module_data_name)) == NULL) {
- free(data);
+ free(dp);
return (PAM_BUF_ERR);
}
+ dp->data = data;
dp->next = pamh->module_data;
- pamh->module_data = data;
+ pamh->module_data = dp;
return (PAM_SUCCESS);
}
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200204021601.g32G1HgJ053242>