From skynick@stu.lipetsk.ru  Fri Nov 28 15:25:24 2003
Return-Path: <skynick@stu.lipetsk.ru>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 696A716A4D2
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 28 Nov 2003 15:23:32 -0800 (PST)
Received: from falcon.lipetsk.ru (falcon.lipetsk.ru [195.34.224.68])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C85D543FBF
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 28 Nov 2003 15:23:30 -0800 (PST)
	(envelope-from skynick@stu.lipetsk.ru)
Received: from lstu by falcon.lipetsk.ru with UUCP id <S201444AbTK1XXF>;
	Sat, 29 Nov 2003 02:23:05 +0300
Received: from chuck2.lstu (chuck2.lstu [192.168.15.7]) 
	  by maverick.stu.int (8.9.3/8.8.5) with ESMTP id CAA22966 
	  for <FreeBSD-gnats-submit@freebsd.org> Sat, 29 Nov 2003 02:19:21 +0300 (MSK)
Received: by chuck2.lstu (Postfix, from userid 1000)
	id E850949A29; Sat, 29 Nov 2003 02:23:07 +0300 (MSK)
Message-Id: <20031128232307.E850949A29@chuck2.lstu>
Date: Sat, 29 Nov 2003 02:23:07 +0300 (MSK)
From: Nick Leuta <skynick@mail.sc.ru>
Reply-To: Nick Leuta <skynick@mail.sc.ru>
To: FreeBSD-gnats-submit@freebsd.org
Subject: ftpd(8)/FreeBSD 5: PAM "session" code is unreachable
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         59776
>Category:       bin
>Synopsis:       ftpd(8)/FreeBSD 5: PAM "session" code is unreachable
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    yar
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Nov 28 15:30:23 PST 2003
>Closed-Date:    Mon Nov 15 11:13:55 GMT 2004
>Last-Modified:  Mon Nov 15 11:13:55 GMT 2004
>Originator:     Nick Leuta
>Release:        FreeBSD 4.9-RC i386
>Organization:
Lipetsk State Technical University
>Environment:
System: FreeBSD skynick.stu.lipetsk.ru 4.9-RC FreeBSD 4.9-RC #0: Sun Nov 23 19:53:55 MSK 2003 root@skynick.stu.lipetsk.ru:/usr/src/sys/compile/CORSAIR i386
>Description:
The global "pam_handle_t *pamh" variable is redeclared in the auth_pam()
function, so the global "*pamh" will always be NULL and so the
pam_open_session() call will always be unreachable.
>How-To-Repeat:
Put the pam_deny.so module into the "session" group as a required module and
see the logs...
>Fix:

diff -urN ftpd.ORI/ftpd.c ftpd/ftpd.c
--- ftpd.ORI/ftpd.c	Sat Nov 15 14:08:26 2003
+++ ftpd/ftpd.c	Wed Nov 26 01:49:26 2003
@@ -1162,13 +1162,15 @@
 		       LOGIN_SETMAC);
 #endif
 #ifdef USE_PAM
-	if ((e = pam_setcred(pamh, PAM_DELETE_CRED)) != PAM_SUCCESS)
-		syslog(LOG_ERR, "pam_setcred: %s", pam_strerror(pamh, e));
-	if ((e = pam_close_session(pamh,0)) != PAM_SUCCESS)
-		syslog(LOG_ERR, "pam_close_session: %s", pam_strerror(pamh, e));
-	if ((e = pam_end(pamh, e)) != PAM_SUCCESS)
-		syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e));
-	pamh = NULL;
+	if (pamh) {
+		if ((e = pam_setcred(pamh, PAM_DELETE_CRED)) != PAM_SUCCESS)
+			syslog(LOG_ERR, "pam_setcred: %s", pam_strerror(pamh, e));
+		if ((e = pam_close_session(pamh,0)) != PAM_SUCCESS)
+			syslog(LOG_ERR, "pam_close_session: %s", pam_strerror(pamh, e));
+		if ((e = pam_end(pamh, e)) != PAM_SUCCESS)
+			syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e));
+		pamh = NULL;
+	}
 #endif
 	logged_in = 0;
 	guest = 0;
@@ -1238,7 +1240,6 @@
 static int
 auth_pam(struct passwd **ppw, const char *pass)
 {
-	pam_handle_t *pamh = NULL;
 	const char *tmpl_user;
 	const void *item;
 	int rval;
@@ -1249,6 +1250,7 @@
 	e = pam_start("ftpd", (*ppw)->pw_name, &conv, &pamh);
 	if (e != PAM_SUCCESS) {
 		syslog(LOG_ERR, "pam_start: %s", pam_strerror(pamh, e));
+		/* pamh is NULL */
 		return -1;
 	}
 
@@ -1256,6 +1258,10 @@
 	if (e != PAM_SUCCESS) {
 		syslog(LOG_ERR, "pam_set_item(PAM_RHOST): %s",
 			pam_strerror(pamh, e));
+		if ((e = pam_end(pamh, e)) != PAM_SUCCESS) {
+			syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e));
+		}
+		pamh = NULL;
 		return -1;
 	}
 
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->patched 
State-Changed-By: yar 
State-Changed-When: Sat Oct 30 17:32:57 GMT 2004 
State-Changed-Why:  
The patch applied to CURRENT with a minor modification: 
pam_strerror() shouldn't be called with NULL pamh at all. 
Thanks! 


Responsible-Changed-From-To: freebsd-bugs->yar 
Responsible-Changed-By: yar 
Responsible-Changed-When: Sat Oct 30 17:32:57 GMT 2004 
Responsible-Changed-Why:  
My area. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=59776 
State-Changed-From-To: patched->closed 
State-Changed-By: yar 
State-Changed-When: Mon Nov 15 11:07:52 GMT 2004 
State-Changed-Why:  
The fix has been merged to 5-STABLE. 
In 4-STABLE, ftpd doesn't have the "pamh" global. 
The calls to pam_end() might have been added, but 
I don't feel like fixing code that works, especially 
related to PAM in 4-STABLE. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=59776 
>Unformatted:
