From d9da9b90a2be88825b3219f21b5865872591bbdb Mon Sep 17 00:00:00 2001 From: Ted Gould Date: Tue, 28 Aug 2012 15:14:40 -0500 Subject: Making sure that there's no way that we can write over the end of the buffer even for very, very, very long home directory names. --- src/pam-freerdp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/pam-freerdp.c') diff --git a/src/pam-freerdp.c b/src/pam-freerdp.c index f635162..8129787 100644 --- a/src/pam-freerdp.c +++ b/src/pam-freerdp.c @@ -283,7 +283,7 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char ** argv memset(&socket_addr, 0, sizeof(struct sockaddr_un)); socket_addr.sun_family = AF_UNIX; strncpy(socket_addr.sun_path, pwdent->pw_dir, sizeof(socket_addr.sun_path) - 1); - strncpy(socket_addr.sun_path + strlen(pwdent->pw_dir), "/.freerdp-socket", sizeof(socket_addr.sun_path) - 1); + strncpy(socket_addr.sun_path + strlen(pwdent->pw_dir), "/.freerdp-socket", (sizeof(socket_addr.sun_path) - strlen(pwdent->pw_dir)) - 1); /* We bind the socket before forking so that we ensure that there isn't a race condition to get to it. Things will block -- cgit v1.2.3 From c8d25717c4a441e05b1c702288a1b5928e62c288 Mon Sep 17 00:00:00 2001 From: Ted Gould Date: Tue, 28 Aug 2012 15:24:34 -0500 Subject: Locking the buffer 'cause it would have the password in it --- src/pam-freerdp.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'src/pam-freerdp.c') diff --git a/src/pam-freerdp.c b/src/pam-freerdp.c index 8129787..82704c5 100644 --- a/src/pam-freerdp.c +++ b/src/pam-freerdp.c @@ -303,10 +303,15 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char ** argv buffer_len += strlen(password) + 1; /* Add one for the NULL */ char * buffer = malloc(buffer_len); + /* Lock the buffer before writing */ + mlock(buffer, buffer_len); snprintf(buffer, buffer_len, "%s %s %s %s", ruser, password, rdomain, rhost); pid_t pid = fork(); if (pid == 0) { + /* Locks to carry over */ + mlock(buffer, buffer_len); + if (setgid(pwdent->pw_gid) < 0 || setuid(pwdent->pw_uid) < 0 || setegid(pwdent->pw_gid) < 0 || seteuid(pwdent->pw_uid) < 0) { _exit(EXIT_FAILURE); @@ -341,11 +346,14 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char ** argv } else if (pid < 0) { retval = PAM_SYSTEM_ERR; close(socketfd); - free(buffer); } else { session_pid = pid; } + memset(buffer, 0, buffer_len); + munlock(buffer, buffer_len); + free(buffer); + done: if (username != NULL) { free(username); } if (password != NULL) { free(password); } -- cgit v1.2.3