When providing data to PAM, use strndup with "PAM_MAX_RESP_SIZE - 1"

and make sure the last character is a '\0'.
author: Brian Cameron <brian.cameron@oracle.com> 2012-06-22 09:36:46 -0500
committer: Brian Cameron <brian.cameron@oracle.com> 2012-06-22 09:36:46 -0500
commit: dc1797c436b4552324a2dfc41fca9a85c674ae7a (patch)
tree: 7bd06cb7f48aaec72e046b1206d10db35b9b0c88
parent: a7c5c55e0fafb06069e2043d63fe33580a3e3848 (diff)
download: gdm-dc1797c436b4552324a2dfc41fca9a85c674ae7a.tar.gz
1 files changed, 5 insertions, 3 deletions
diff --git a/daemon/gdm-session-worker.c b/daemon/gdm-session-worker.c
index 449e7d15..1e1cf370 100644
--- a/daemon/gdm-session-worker.c
+++ b/daemon/gdm-session-worker.c
@@ -860,11 +860,13 @@ gdm_session_worker_process_pam_message (GdmSessionWorker          *worker,
         }
 
         if (user_answer != NULL) {
-                /* we strdup and g_free to make sure we return malloc'd
-                 * instead of g_malloc'd memory
+                /* we strndup and g_free to make sure we return malloc'd
+                 * instead of g_malloc'd memory.  PAM_MAX_RESP_SIZE includes
+                 * the '\0' terminating character, thus the "- 1".
                  */
                 if (res && response_text != NULL) {
-                        *response_text = strdup (user_answer);
+                        *response_text = strndup (user_answer, PAM_MAX_RESP_SIZE - 1);
+                        (*response_text)[PAM_MAX_RESP_SIZE - 1] = '\0';
                 }
 
                 memset (user_answer, '\0', strlen (user_answer));
author	Brian Cameron <brian.cameron@oracle.com>	2012-06-22 09:36:46 -0500
committer	Brian Cameron <brian.cameron@oracle.com>	2012-06-22 09:36:46 -0500
commit	dc1797c436b4552324a2dfc41fca9a85c674ae7a (patch)
tree	7bd06cb7f48aaec72e046b1206d10db35b9b0c88
parent	a7c5c55e0fafb06069e2043d63fe33580a3e3848 (diff)
download	gdm-dc1797c436b4552324a2dfc41fca9a85c674ae7a.tar.gz