diff options
author | Ted Gould <ted@gould.cx> | 2012-08-29 08:40:23 +0000 |
---|---|---|
committer | Tarmac <Unknown> | 2012-08-29 08:40:23 +0000 |
commit | 055f943aab70784cb9cb3a86c4c3e051df0f35ab (patch) | |
tree | 5241c033b2060b42562957800e68b8a694e8072f | |
parent | 291215b11380898ffd8b8367a76043a451384146 (diff) | |
parent | 7666892cefc221a275782704fa468582f604c89f (diff) | |
download | libpam-freerdp2-055f943aab70784cb9cb3a86c4c3e051df0f35ab.tar.gz libpam-freerdp2-055f943aab70784cb9cb3a86c4c3e051df0f35ab.tar.bz2 libpam-freerdp2-055f943aab70784cb9cb3a86c4c3e051df0f35ab.zip |
Lock buffer memory and protect to memory overruns.. Approved by Albert Astals Cid, jenkins.
-rw-r--r-- | src/pam-freerdp.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/src/pam-freerdp.c b/src/pam-freerdp.c index b6ec769..02524fb 100644 --- a/src/pam-freerdp.c +++ b/src/pam-freerdp.c @@ -284,7 +284,7 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char ** argv memset(&socket_addr, 0, sizeof(struct sockaddr_un)); socket_addr.sun_family = AF_UNIX; strncpy(socket_addr.sun_path, pwdent->pw_dir, sizeof(socket_addr.sun_path) - 1); - strncpy(socket_addr.sun_path + strlen(pwdent->pw_dir), "/.freerdp-socket", sizeof(socket_addr.sun_path) - 1); + strncpy(socket_addr.sun_path + strlen(pwdent->pw_dir), "/.freerdp-socket", (sizeof(socket_addr.sun_path) - strlen(pwdent->pw_dir)) - 1); /* We bind the socket before forking so that we ensure that there isn't a race condition to get to it. Things will block @@ -313,10 +313,15 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char ** argv buffer_len += strlen(password) + 1; /* Add one for the NULL */ char * buffer = malloc(buffer_len); + /* Lock the buffer before writing */ + mlock(buffer, buffer_len); snprintf(buffer, buffer_len, "%s %s %s %s", ruser, password, rdomain, rhost); pid_t pid = fork(); if (pid == 0) { + /* Locks to carry over */ + mlock(buffer, buffer_len); + if (setgid(pwdent->pw_gid) < 0 || setuid(pwdent->pw_uid) < 0 || setegid(pwdent->pw_gid) < 0 || seteuid(pwdent->pw_uid) < 0) { _exit(EXIT_FAILURE); @@ -351,11 +356,14 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char ** argv } else if (pid < 0) { retval = PAM_SYSTEM_ERR; close(socketfd); - free(buffer); } else { session_pid = pid; } + memset(buffer, 0, buffer_len); + munlock(buffer, buffer_len); + free(buffer); + done: if (username != NULL) { free(username); } if (password != NULL) { free(password); } |