Hi,
please review the following patch.
The AUTH-PAM plugin contains the function `searchandreplace`. The buffer
allocated there can be overflown if the parameter `replace_with` is to long
(depending on the format string).
E.g.:
searchandreplace(to search :=“X”, searchfor := “X”, replacewith :=
“0123456789!”)
would overflow `temp` with the character ‘!’.
The call tree contains multiple calls with a user supplied value for
`replace_with`.
Jens
From 40bc7c89330fde212ef96d18f7092c9dd4c5e6a0 Mon Sep 17 00:00:00 2001
From: Jens Neuhalfen <j...@neuhalfen.name>
List-Post: openvpn-devel@lists.sourceforge.net
Date: Tue, 19 Apr 2016 20:42:55 +0200
Subject: [PATCH] auth-pam:Fix buffer overflow by user supplied data
Passing very long usernames/passwords for pam authentication could possibly
lead to a stack based buffer overrun in the auth-pam plugin.
---
src/plugins/auth-pam/auth-pam.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c
index 95692ab..574a08d 100644
--- a/src/plugins/auth-pam/auth-pam.c
+++ b/src/plugins/auth-pam/auth-pam.c
@@ -123,13 +123,15 @@ static void pam_server (int fd, const char *service, int
verb, const struct name
static char *
searchandreplace(const char *tosearch, const char *searchfor, const char
*replacewith)
{
+ if (!tosearch || !searchfor || !replacewith) return 0;
+ if (!strlen(tosearch) || !strlen(searchfor) || !strlen(replacewith)) return
0;
+
const char *searching=tosearch;
char *scratch;
- char temp[strlen(tosearch)*10];
+
+ char temp[strlen(tosearch) * strlen(replacewith) + 1];
temp[0]=0;
- if (!tosearch || !searchfor || !replacewith) return 0;
- if (!strlen(tosearch) || !strlen(searchfor) || !strlen(replacewith)) return
0;
scratch = strstr(searching,searchfor);
if (!scratch) return strdup(tosearch);
--
2.6.4 (Apple Git-63)
