Print this page
10104 pam_set_data() dereferences pointer before checking for NULL

Split Close
Expand all
Collapse all
          --- old/usr/src/lib/libpam/pam_framework.c
          +++ new/usr/src/lib/libpam/pam_framework.c
↓ open down ↓ 15 lines elided ↑ open up ↑
  16   16   * fields enclosed by brackets "[]" replaced with your own identifying
  17   17   * information: Portions Copyright [yyyy] [name of copyright owner]
  18   18   *
  19   19   * CDDL HEADER END
  20   20   */
  21   21  /*
  22   22   * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
  23   23   * Use is subject to license terms.
  24   24   */
  25   25  
       26 +/*
       27 + * Copyright (c) 2019, Joyent, Inc.
       28 + */
       29 +
  26   30  #include <syslog.h>
  27   31  #include <dlfcn.h>
  28   32  #include <sys/types.h>
  29   33  #include <sys/stat.h>
  30   34  #include <stdlib.h>
  31   35  #include <strings.h>
  32   36  #include <malloc.h>
  33   37  #include <unistd.h>
  34   38  #include <fcntl.h>
  35   39  #include <errno.h>
↓ open down ↓ 11 lines elided ↑ open up ↑
  47   51          PAM_AUTH_NAME,
  48   52          PAM_PASSWORD_NAME,
  49   53          PAM_SESSION_NAME
  50   54  };
  51   55  
  52   56  static char *pam_inames [PAM_MAX_ITEMS] = {
  53   57  /* NONE */              NULL,
  54   58  /* PAM_SERVICE */       "service",
  55   59  /* PAM_USER */          "user",
  56   60  /* PAM_TTY */           "tty",
  57      -/* PAM_RHOST */         "rhost",
       61 +/* PAM_RHOST */         "rhost",
  58   62  /* PAM_CONV */          "conv",
  59   63  /* PAM_AUTHTOK */       "authtok",
  60   64  /* PAM_OLDAUTHTOK */    "oldauthtok",
  61      -/* PAM_RUSER */         "ruser",
       65 +/* PAM_RUSER */         "ruser",
  62   66  /* PAM_USER_PROMPT */   "user_prompt",
  63   67  /* PAM_REPOSITORY */    "repository",
  64   68  /* PAM_RESOURCE */      "resource",
  65      -/* PAM_AUSER */         "auser",
       69 +/* PAM_AUSER */         "auser",
  66   70  /* Undefined Items */
  67   71  };
  68   72  
  69   73  /*
  70   74   * This extra definition is needed in order to build this library
  71   75   * on pre-64-bit-aware systems.
  72   76   */
  73   77  #if !defined(_LFS64_LARGEFILE)
  74   78  #define stat64  stat
  75   79  #endif  /* !defined(_LFS64_LARGEFILE) */
  76   80  
  77   81  /* functions to dynamically load modules */
  78   82  static int      load_modules(pam_handle_t *, int, char *, pamtab_t *);
  79      -static void     *open_module(pam_handle_t *, char *);
       83 +static void     *open_module(pam_handle_t *, char *);
  80   84  static int      load_function(void *, char *, int (**func)());
  81   85  
  82   86  /* functions to read and store the pam.conf configuration file */
  83   87  static int      open_pam_conf(struct pam_fh **, pam_handle_t *, char *);
  84   88  static void     close_pam_conf(struct pam_fh *);
  85   89  static int      read_pam_conf(pam_handle_t *, char *);
  86      -static int      get_pam_conf_entry(struct pam_fh *, pam_handle_t *,
       90 +static int      get_pam_conf_entry(struct pam_fh *, pam_handle_t *,
  87   91      pamtab_t **);
  88   92  static char     *read_next_token(char **);
  89   93  static char     *nextline(struct pam_fh *, pam_handle_t *, int *);
  90   94  static int      verify_pam_conf(pamtab_t *, char *);
  91   95  
  92   96  /* functions to clean up and free memory */
  93   97  static void     clean_up(pam_handle_t *);
  94   98  static void     free_pamconf(pamtab_t *);
  95   99  static void     free_pam_conf_info(pam_handle_t *);
  96  100  static void     free_env(env_list *);
↓ open down ↓ 693 lines elided ↑ open up ↑
 790  794   */
 791  795  
 792  796  int
 793  797  pam_set_data(pam_handle_t *pamh, const char *module_data_name, void *data,
 794  798      void (*cleanup)(pam_handle_t *pamh, void *data, int pam_end_status))
 795  799  {
 796  800          struct pam_module_data *psd;
 797  801  
 798  802          pam_trace(PAM_DEBUG_DATA,
 799  803              "pam_set_data(%p:%s:%d)=%p", (void *)pamh,
 800      -            module_data_name ? module_data_name : "NULL", pamh->pam_inmodule,
 801      -            data);
      804 +            (module_data_name != NULL) ? module_data_name : "NULL",
      805 +            (pamh != NULL) ? pamh->pam_inmodule : -1, data);
 802  806          if (pamh == NULL || (pamh->pam_inmodule != WO_OK) ||
 803  807              module_data_name == NULL) {
 804  808                  return (PAM_SYSTEM_ERR);
 805  809          }
 806  810  
 807  811          /* check if module data already exists */
 808  812  
 809  813          for (psd = pamh->ssd; psd; psd = psd->next) {
 810  814                  if (strcmp(psd->module_data_name, module_data_name) == 0) {
 811  815                          /* clean up original data before setting the new data */
↓ open down ↓ 2073 lines elided ↑ open up ↑
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX