aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTed Gould <ted@gould.cx>2012-08-29 08:40:23 +0000
committerTarmac <>2012-08-29 08:40:23 +0000
commitc1d37b4bf2191349d7836a4ddfd7b851328e9684 (patch)
tree5241c033b2060b42562957800e68b8a694e8072f
parentb352f976cef3bb3e262bb9b1fa8874db7f9a8378 (diff)
parentc8d25717c4a441e05b1c702288a1b5928e62c288 (diff)
downloadlibpam-x2go-c1d37b4bf2191349d7836a4ddfd7b851328e9684.tar.gz
libpam-x2go-c1d37b4bf2191349d7836a4ddfd7b851328e9684.tar.bz2
libpam-x2go-c1d37b4bf2191349d7836a4ddfd7b851328e9684.zip
Lock buffer memory and protect to memory overruns.. Approved by Albert Astals Cid, jenkins.
-rw-r--r--src/pam-freerdp.c12
1 files changed, 10 insertions, 2 deletions
diff --git a/src/pam-freerdp.c b/src/pam-freerdp.c
index b6ec769..02524fb 100644
--- a/src/pam-freerdp.c
+++ b/src/pam-freerdp.c
@@ -284,7 +284,7 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char ** argv
memset(&socket_addr, 0, sizeof(struct sockaddr_un));
socket_addr.sun_family = AF_UNIX;
strncpy(socket_addr.sun_path, pwdent->pw_dir, sizeof(socket_addr.sun_path) - 1);
- strncpy(socket_addr.sun_path + strlen(pwdent->pw_dir), "/.freerdp-socket", sizeof(socket_addr.sun_path) - 1);
+ strncpy(socket_addr.sun_path + strlen(pwdent->pw_dir), "/.freerdp-socket", (sizeof(socket_addr.sun_path) - strlen(pwdent->pw_dir)) - 1);
/* We bind the socket before forking so that we ensure that
there isn't a race condition to get to it. Things will block
@@ -313,10 +313,15 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char ** argv
buffer_len += strlen(password) + 1; /* Add one for the NULL */
char * buffer = malloc(buffer_len);
+ /* Lock the buffer before writing */
+ mlock(buffer, buffer_len);
snprintf(buffer, buffer_len, "%s %s %s %s", ruser, password, rdomain, rhost);
pid_t pid = fork();
if (pid == 0) {
+ /* Locks to carry over */
+ mlock(buffer, buffer_len);
+
if (setgid(pwdent->pw_gid) < 0 || setuid(pwdent->pw_uid) < 0 ||
setegid(pwdent->pw_gid) < 0 || seteuid(pwdent->pw_uid) < 0) {
_exit(EXIT_FAILURE);
@@ -351,11 +356,14 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char ** argv
} else if (pid < 0) {
retval = PAM_SYSTEM_ERR;
close(socketfd);
- free(buffer);
} else {
session_pid = pid;
}
+ memset(buffer, 0, buffer_len);
+ munlock(buffer, buffer_len);
+ free(buffer);
+
done:
if (username != NULL) { free(username); }
if (password != NULL) { free(password); }