From sanewo@muse.sanewo.dyn.to  Tue Apr  2 08:01:22 2002
Return-Path: <sanewo@muse.sanewo.dyn.to>
Received: from muse.sanewo.dyn.to (pdd8b29.tkyoac00.ap.so-net.ne.jp [218.221.139.41])
	by hub.freebsd.org (Postfix) with ESMTP id 4029C37B422
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  2 Apr 2002 08:01:21 -0800 (PST)
Received: from muse.sanewo.dyn.to (sanewo@localhost [127.0.0.1])
	by muse.sanewo.dyn.to (8.12.2/8.12.2) with ESMTP id g32G1KWK053247;
	Wed, 3 Apr 2002 01:01:20 +0900 (JST)
	(envelope-from sanewo@muse.sanewo.dyn.to)
Received: (from sanewo@localhost)
	by muse.sanewo.dyn.to (8.12.2/8.12.2/Submit) id g32G1HgJ053242;
	Wed, 3 Apr 2002 01:01:17 +0900 (JST)
Message-Id: <200204021601.g32G1HgJ053242@muse.sanewo.dyn.to>
Date: Wed, 3 Apr 2002 01:01:17 +0900 (JST)
From: Takanori Saneto <sanewo@ba2.so-net.ne.jp>
To: FreeBSD-gnats-submit@freebsd.org
Cc: des@ofug.org
Subject: libpam bugs cause xdm+pam_ssh crash on -CURRENT
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         36658
>Category:       bin
>Synopsis:       libpam bugs cause xdm+pam_ssh crash on -CURRENT
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Apr 02 08:10:02 PST 2002
>Closed-Date:    Tue Apr 02 12:57:41 PST 2002
>Last-Modified:  Tue Apr 02 12:57:41 PST 2002
>Originator:     Takanori Saneto
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
an individual
>Environment:
System: FreeBSD muse.sanewo.dyn.to 5.0-CURRENT FreeBSD 5.0-CURRENT #0: Sat Mar 30 03:32:57 JST 2002 sanewo@muse.sanewo.dyn.to:/export/usr/obj/usr/src/sys/MUSE i386

5.0-CURRENT as of today, XFree86 4.2.99.1 as of 2002/Jan

>Description:

Couple of bugs in libpam (pam_putenv and pam_set_data) cause xdm core dump.

In pam_putenv, size of env arrary was growing in bytes instead of sizeof(char *).
In pam_set_data, incorrect pointer was free()ed and passed data was not set at all.

>How-To-Repeat:

Enable pam_ssh in /etc/pam.d/xdm and try to login via xdm.

>Fix:

Following patch should fix the problem.

Index: pam_putenv.c
===================================================================
RCS file: /export/cvsup/cvs/src/contrib/openpam/lib/pam_putenv.c,v
retrieving revision 1.1.1.4
diff -u -r1.1.1.4 pam_putenv.c
--- pam_putenv.c	14 Mar 2002 20:42:06 -0000	1.1.1.4
+++ pam_putenv.c	2 Apr 2002 15:37:13 -0000
@@ -73,7 +73,7 @@
 
 	/* grow the environment list if necessary */
 	if (pamh->env_count == pamh->env_size) {
-		env = realloc(pamh->env, pamh->env_size * 2 + 1);
+		env = realloc(pamh->env, sizeof(char *) * (pamh->env_size * 2 + 1));
 		if (env == NULL)
 			return (PAM_BUF_ERR);
 		pamh->env = env;
Index: pam_set_data.c
===================================================================
RCS file: /export/cvsup/cvs/src/contrib/openpam/lib/pam_set_data.c,v
retrieving revision 1.1.1.4
diff -u -r1.1.1.4 pam_set_data.c
--- pam_set_data.c	14 Mar 2002 20:42:06 -0000	1.1.1.4
+++ pam_set_data.c	2 Apr 2002 14:53:39 -0000
@@ -74,11 +74,12 @@
 	if ((dp = malloc(sizeof *dp)) == NULL)
 		return (PAM_BUF_ERR);
 	if ((dp->name = strdup(module_data_name)) == NULL) {
-		free(data);
+		free(dp);
 		return (PAM_BUF_ERR);
 	}
+	dp->data = data;
 	dp->next = pamh->module_data;
-	pamh->module_data = data;
+	pamh->module_data = dp;
 	return (PAM_SUCCESS);
 }
 



>Release-Note:
>Audit-Trail:

From: Takanori Saneto <sanewo@ba2.so-net.ne.jp>
To: FreeBSD-gnats-submit@FreeBSD.org
Cc: Dag-Erling Smorgrav <des@FreeBSD.org>
Subject: Re: bin/36658: libpam bugs cause xdm+pam_ssh crash on -CURRENT
Date: Wed, 03 Apr 2002 01:25:57 +0900

 Oops, my CVS repository was half day old.
 
 pam_set_data.c was already fixed. (And my patch was not sufficient for
 that bug to be fixed. sigh)
 -- 
 SANETO, Takanori <URL:mailto:sanewo@ba2.so-net.ne.jp>
State-Changed-From-To: open->closed 
State-Changed-By: des 
State-Changed-When: Tue Apr 2 12:57:40 PST 2002 
State-Changed-Why:  
Fixed, thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=36658 
>Unformatted:
