diff options
author | Michel Dänzer <michel@daenzer.net> | 2013-08-20 11:25:00 -0400 |
---|---|---|
committer | Ray Strode <rstrode@redhat.com> | 2013-08-20 11:25:00 -0400 |
commit | 9755ca3a594a01ba7f361684af1c29b49be17856 (patch) | |
tree | d3b9168e8d5da5f23b9051c100e0d3345c57c512 | |
parent | 7df9c4062f9bbef5a6d4cc1aa215b9a88939df2e (diff) | |
download | gdm-9755ca3a594a01ba7f361684af1c29b49be17856.tar.gz |
worker: Fix memory corruption error/crasher
gdm_session_worker_process_pam_message() contains this code:
*response_text = strndup (user_answer,
PAM_MAX_RESP_SIZE - 1);
(*response_text)[PAM_MAX_RESP_SIZE - 1] = '\0';
If the string pointed to by user_answer is shorter than PAM_MAX_RESP_SIZE - 1
(which will generally be the case), the second line clobbers unrelated memory.
On this powerpc laptop, that causes gdm-session-worker to crash while verifying
the password, leaving me unable to log into any user session.
strndup() already ensures that the resulting string is 0-terminated anyway, so
this commit just removes the second line.
-rw-r--r-- | daemon/gdm-session-worker.c | 1 |
1 files changed, 0 insertions, 1 deletions
diff --git a/daemon/gdm-session-worker.c b/daemon/gdm-session-worker.c index 422c6ef9..7307872b 100644 --- a/daemon/gdm-session-worker.c +++ b/daemon/gdm-session-worker.c @@ -795,7 +795,6 @@ gdm_session_worker_process_pam_message (GdmSessionWorker *worker, */ if (res && response_text != NULL) { *response_text = strndup (user_answer, PAM_MAX_RESP_SIZE - 1); - (*response_text)[PAM_MAX_RESP_SIZE - 1] = '\0'; } memset (user_answer, '\0', strlen (user_answer)); |