Date: Wed, 3 Apr 2002 01:01:17 +0900 (JST) From: Takanori Saneto <sanewo@ba2.so-net.ne.jp> To: FreeBSD-gnats-submit@FreeBSD.org Cc: des@ofug.org Subject: bin/36658: libpam bugs cause xdm+pam_ssh crash on -CURRENT Message-ID: <200204021601.g32G1HgJ053242@muse.sanewo.dyn.to>
next in thread | raw e-mail | index | archive | help
>Number: 36658 >Category: bin >Synopsis: libpam bugs cause xdm+pam_ssh crash on -CURRENT >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Apr 02 08:10:02 PST 2002 >Closed-Date: >Last-Modified: >Originator: Takanori Saneto >Release: FreeBSD 5.0-CURRENT i386 >Organization: an individual >Environment: System: FreeBSD muse.sanewo.dyn.to 5.0-CURRENT FreeBSD 5.0-CURRENT #0: Sat Mar 30 03:32:57 JST 2002 sanewo@muse.sanewo.dyn.to:/export/usr/obj/usr/src/sys/MUSE i386 5.0-CURRENT as of today, XFree86 4.2.99.1 as of 2002/Jan >Description: Couple of bugs in libpam (pam_putenv and pam_set_data) cause xdm core dump. In pam_putenv, size of env arrary was growing in bytes instead of sizeof(char *). In pam_set_data, incorrect pointer was free()ed and passed data was not set at all. >How-To-Repeat: Enable pam_ssh in /etc/pam.d/xdm and try to login via xdm. >Fix: Following patch should fix the problem. Index: pam_putenv.c =================================================================== RCS file: /export/cvsup/cvs/src/contrib/openpam/lib/pam_putenv.c,v retrieving revision 1.1.1.4 diff -u -r1.1.1.4 pam_putenv.c --- pam_putenv.c 14 Mar 2002 20:42:06 -0000 1.1.1.4 +++ pam_putenv.c 2 Apr 2002 15:37:13 -0000 @@ -73,7 +73,7 @@ /* grow the environment list if necessary */ if (pamh->env_count == pamh->env_size) { - env = realloc(pamh->env, pamh->env_size * 2 + 1); + env = realloc(pamh->env, sizeof(char *) * (pamh->env_size * 2 + 1)); if (env == NULL) return (PAM_BUF_ERR); pamh->env = env; Index: pam_set_data.c =================================================================== RCS file: /export/cvsup/cvs/src/contrib/openpam/lib/pam_set_data.c,v retrieving revision 1.1.1.4 diff -u -r1.1.1.4 pam_set_data.c --- pam_set_data.c 14 Mar 2002 20:42:06 -0000 1.1.1.4 +++ pam_set_data.c 2 Apr 2002 14:53:39 -0000 @@ -74,11 +74,12 @@ if ((dp = malloc(sizeof *dp)) == NULL) return (PAM_BUF_ERR); if ((dp->name = strdup(module_data_name)) == NULL) { - free(data); + free(dp); return (PAM_BUF_ERR); } + dp->data = data; dp->next = pamh->module_data; - pamh->module_data = data; + pamh->module_data = dp; return (PAM_SUCCESS); } >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200204021601.g32G1HgJ053242>