From 58cb830da11e54bcc0116a4b5b1afd3e45a08482 Mon Sep 17 00:00:00 2001 From: Cyril Duval Date: Wed, 23 Nov 2022 15:20:38 +0100 Subject: pam_listfile: fix pointer misuse leading to data corruption pam_listfile assumes the group being tested will be written at the end of the argument list by carrying only a pointer to the value being examined in 'myval'. Therefore example ''' auth required pam_listfile.so \ onerr=succeed apply=ftp item=user sense=deny file=/etc/ftpusers ''' modified from https://linux.die.net/man/8/pam_listfile is not working because 'apply_val' will point to the latest value of 'myval', which in this case will be "/etc/ftpusers" instead of "ftp". Fix this issue by copying the value of 'myval' instead of just taking a reference pointer. Signed-off-by: Cyril Duval --- modules/pam_listfile/pam_listfile.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/modules/pam_listfile/pam_listfile.c b/modules/pam_listfile/pam_listfile.c index 28fd58fc..937576fd 100644 --- a/modules/pam_listfile/pam_listfile.c +++ b/modules/pam_listfile/pam_listfile.c @@ -53,17 +53,16 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, const char *citemp; char *ifname=NULL; char aline[256]; - char mybuf[256],myval[256]; + char mybuf[256],myval[256],apply_val[256]; struct stat fileinfo; FILE *inf; - const char *apply_val; int apply_type; /* Stuff for "extended" items */ struct passwd *userinfo; apply_type=APPLY_TYPE_NULL; - apply_val=""; + apply_val[0] = '\0'; for(i=0; i < argc; i++) { { @@ -133,10 +132,10 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, apply_type=APPLY_TYPE_NONE; if (myval[0]=='@') { apply_type=APPLY_TYPE_GROUP; - apply_val=myval+1; + memcpy(apply_val,myval+1,sizeof(myval)-1); } else { apply_type=APPLY_TYPE_USER; - apply_val=myval; + memcpy(apply_val,myval,sizeof(myval)); } } else { free(ifname); -- cgit v1.2.1