From owner-freebsd-bugs Tue Apr 2 8:11:39 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 7A02537B502 for ; Tue, 2 Apr 2002 08:10:02 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g32GA2b43626; Tue, 2 Apr 2002 08:10:02 -0800 (PST) (envelope-from gnats) Received: from muse.sanewo.dyn.to (pdd8b29.tkyoac00.ap.so-net.ne.jp [218.221.139.41]) by hub.freebsd.org (Postfix) with ESMTP id 4029C37B422 for ; Tue, 2 Apr 2002 08:01:21 -0800 (PST) Received: from muse.sanewo.dyn.to (sanewo@localhost [127.0.0.1]) by muse.sanewo.dyn.to (8.12.2/8.12.2) with ESMTP id g32G1KWK053247; Wed, 3 Apr 2002 01:01:20 +0900 (JST) (envelope-from sanewo@muse.sanewo.dyn.to) Received: (from sanewo@localhost) by muse.sanewo.dyn.to (8.12.2/8.12.2/Submit) id g32G1HgJ053242; Wed, 3 Apr 2002 01:01:17 +0900 (JST) Message-Id: <200204021601.g32G1HgJ053242@muse.sanewo.dyn.to> Date: Wed, 3 Apr 2002 01:01:17 +0900 (JST) From: Takanori Saneto To: FreeBSD-gnats-submit@FreeBSD.org Cc: des@ofug.org X-Send-Pr-Version: 3.113 Subject: bin/36658: libpam bugs cause xdm+pam_ssh crash on -CURRENT Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 36658 >Category: bin >Synopsis: libpam bugs cause xdm+pam_ssh crash on -CURRENT >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Apr 02 08:10:02 PST 2002 >Closed-Date: >Last-Modified: >Originator: Takanori Saneto >Release: FreeBSD 5.0-CURRENT i386 >Organization: an individual >Environment: System: FreeBSD muse.sanewo.dyn.to 5.0-CURRENT FreeBSD 5.0-CURRENT #0: Sat Mar 30 03:32:57 JST 2002 sanewo@muse.sanewo.dyn.to:/export/usr/obj/usr/src/sys/MUSE i386 5.0-CURRENT as of today, XFree86 4.2.99.1 as of 2002/Jan >Description: Couple of bugs in libpam (pam_putenv and pam_set_data) cause xdm core dump. In pam_putenv, size of env arrary was growing in bytes instead of sizeof(char *). In pam_set_data, incorrect pointer was free()ed and passed data was not set at all. >How-To-Repeat: Enable pam_ssh in /etc/pam.d/xdm and try to login via xdm. >Fix: Following patch should fix the problem. Index: pam_putenv.c =================================================================== RCS file: /export/cvsup/cvs/src/contrib/openpam/lib/pam_putenv.c,v retrieving revision 1.1.1.4 diff -u -r1.1.1.4 pam_putenv.c --- pam_putenv.c 14 Mar 2002 20:42:06 -0000 1.1.1.4 +++ pam_putenv.c 2 Apr 2002 15:37:13 -0000 @@ -73,7 +73,7 @@ /* grow the environment list if necessary */ if (pamh->env_count == pamh->env_size) { - env = realloc(pamh->env, pamh->env_size * 2 + 1); + env = realloc(pamh->env, sizeof(char *) * (pamh->env_size * 2 + 1)); if (env == NULL) return (PAM_BUF_ERR); pamh->env = env; Index: pam_set_data.c =================================================================== RCS file: /export/cvsup/cvs/src/contrib/openpam/lib/pam_set_data.c,v retrieving revision 1.1.1.4 diff -u -r1.1.1.4 pam_set_data.c --- pam_set_data.c 14 Mar 2002 20:42:06 -0000 1.1.1.4 +++ pam_set_data.c 2 Apr 2002 14:53:39 -0000 @@ -74,11 +74,12 @@ if ((dp = malloc(sizeof *dp)) == NULL) return (PAM_BUF_ERR); if ((dp->name = strdup(module_data_name)) == NULL) { - free(data); + free(dp); return (PAM_BUF_ERR); } + dp->data = data; dp->next = pamh->module_data; - pamh->module_data = data; + pamh->module_data = dp; return (PAM_SUCCESS); } >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message