From os@brain.cc.rsu.ru  Tue Nov 20 08:23:41 2007
Return-Path: <os@brain.cc.rsu.ru>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E183916A418
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 20 Nov 2007 08:23:41 +0000 (UTC)
	(envelope-from os@brain.cc.rsu.ru)
Received: from mail.r61.net (mail.r61.net [195.208.245.249])
	by mx1.freebsd.org (Postfix) with ESMTP id 470F213C44B
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 20 Nov 2007 08:23:40 +0000 (UTC)
	(envelope-from os@brain.cc.rsu.ru)
Received: from brain.cc.rsu.ru (brain.cc.rsu.ru [195.208.252.154])
	by mail.r61.net (8.14.1/8.14.1) with ESMTP id lAK7vxqd013407
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 20 Nov 2007 10:57:59 +0300 (MSK)
	(envelope-from os@brain.cc.rsu.ru)
Received: from brain.cc.rsu.ru (localhost [127.0.0.1])
	by brain.cc.rsu.ru (8.14.1/8.13.7) with ESMTP id lAK7vwet096646
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 20 Nov 2007 10:57:59 +0300 (MSK)
	(envelope-from os@brain.cc.rsu.ru)
Received: (from os@localhost)
	by brain.cc.rsu.ru (8.14.1/8.13.7/Submit) id lAK7vwZX096645;
	Tue, 20 Nov 2007 10:57:58 +0300 (MSK)
	(envelope-from os)
Message-Id: <200711200757.lAK7vwZX096645@brain.cc.rsu.ru>
Date: Tue, 20 Nov 2007 10:57:58 +0300 (MSK)
From: Oleg Sharoiko <os@rsu.ru>
Reply-To: Oleg Sharoiko <os@rsu.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [patch] pam_lastlog doesn't check return values in pam_sm_close_session
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         118144
>Category:       bin
>Synopsis:       [patch] pam_lastlog doesn't check return values in pam_sm_close_session
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    des
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Nov 20 08:30:01 UTC 2007
>Closed-Date:    
>Last-Modified:  Tue Nov 20 15:30:02 UTC 2007
>Originator:     Oleg Sharoiko
>Release:        FreeBSD 6.2-STABLE i386
>Organization:
>Environment:
System: FreeBSD brain.cc.rsu.ru 6.2-STABLE FreeBSD 6.2-STABLE #0: Tue Sep 18 16:26:09 MSD 2007 os@brain.cc.rsu.ru:/usr/obj/usr/src/sys/brain.i386.RELENG_6.2007-04-14 i386


	
>Description:
	From lib/libpam/modules/pam_lastlog/pam_lastlog.c

PAM_EXTERN int
pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused,
    int argc __unused, const char *argv[] __unused)
{
        const void *tty;

        pam_get_item(pamh, PAM_TTY, (const void **)&tty);
        if (strncmp(tty, _PATH_DEV, strlen(_PATH_DEV)) == 0)
                tty = (const char *)tty + strlen(_PATH_DEV);
        if (*(const char *)tty == '\0')
                return (PAM_SERVICE_ERR);
        if (logout(tty) != 1)
                syslog(LOG_ERR, "%s(): no utmp record for %s",
                    __func__, (const char *)tty);
        logwtmp(tty, "", "");
        return (PAM_SUCCESS);
}

	1. pam_get_item may fail
	2. tty may be NULL resulting in SIGSEGV in strncmp.
>How-To-Repeat:
	
>Fix:

--- pam_lastlog.c.orig	Tue Nov 20 10:05:48 2007
+++ pam_lastlog.c	Tue Nov 20 10:07:07 2007
@@ -170,9 +170,14 @@
 pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused,
     int argc __unused, const char *argv[] __unused)
 {
-        const void *tty;
+        const void *tty = NULL;
+	int pam_err;
 
-        pam_get_item(pamh, PAM_TTY, (const void **)&tty);
+        pam_err = pam_get_item(pamh, PAM_TTY, (const void **)&tty);
+	if (pam_err != PAM_SUCCESS)
+		return (pam_err);
+	if (*tty == NULL)
+		return (PAM_SERVICE_ERR);
 	if (strncmp(tty, _PATH_DEV, strlen(_PATH_DEV)) == 0)
 		tty = (const char *)tty + strlen(_PATH_DEV);
 	if (*(const char *)tty == '\0')

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->des 
Responsible-Changed-By: remko 
Responsible-Changed-When: Tue Nov 20 08:37:50 UTC 2007 
Responsible-Changed-Why:  
over to DES (maintainer) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=118144 

From: Oleg Sharoiko <os@rsu.ru>
To: bug-followup@FreeBSD.org, os@rsu.ru
Cc:  
Subject: Re: bin/118144: [patch] pam_lastlog doesn't check return values in
	pam_sm_close_session
Date: Tue, 20 Nov 2007 11:58:26 +0300

 Ups, there is an error in original patch.
 Here is the right version:
 
 --- pam_lastlog.c.orig	Tue Nov 20 10:05:48 2007
 +++ pam_lastlog.c	Tue Nov 20 10:09:00 2007
 @@ -170,9 +170,14 @@
  pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused,
      int argc __unused, const char *argv[] __unused)
  {
 -        const void *tty;
 +        const void *tty = NULL;
 +	int pam_err;
  
 -        pam_get_item(pamh, PAM_TTY, (const void **)&tty);
 +        pam_err = pam_get_item(pamh, PAM_TTY, (const void **)&tty);
 +	if (pam_err != PAM_SUCCESS)
 +		return (pam_err);
 +	if (tty == NULL)
 +		return (PAM_SERVICE_ERR);
  	if (strncmp(tty, _PATH_DEV, strlen(_PATH_DEV)) == 0)
  		tty = (const char *)tty + strlen(_PATH_DEV);
  	if (*(const char *)tty == '\0')
 
 -- 
 Oleg Sharoiko.
 Software and Network Engineer
 Computer Center of Rostov State University.
 

From: Oleg Sharoiko <os@rsu.ru>
To: bug-followup@FreeBSD.org, os@rsu.ru
Cc:  
Subject: Re: bin/118144: [patch] pam_lastlog doesn't check return values in
	pam_sm_close_session
Date: Tue, 20 Nov 2007 18:21:30 +0300

 This bug was fixed in HEAD on Jul 22. The code in HEAD is better than my
 patch as it honours `no_fail' option.
 
 -- 
 Oleg Sharoiko.
 Software and Network Engineer
 Computer Center of Rostov State University.
 
>Unformatted:
