From 41eb8b9f02e94f538b25c5fb69c3b428157c3fd9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dag-Erling=20Sm=C3=B8rgrav?= <des@des.no>
Date: Mon, 26 Jun 2023 20:48:13 +0200
Subject: [PATCH] In openpam_subst(3), avoid incrementing past the end of the
 template.

My thanks to Robert Morris <rtm@lcs.mit.edu> for finding and reporting the bug.
---
 HISTORY                    |   3 ++
 lib/libpam/openpam_subst.c |   5 +-
 t/.gitignore               |   1 +
 t/Makefile.am              |   1 +
 t/t_openpam_subst.c        | 105 +++++++++++++++++++++++++++++++++++++
 5 files changed, 113 insertions(+), 2 deletions(-)
 create mode 100644 t/t_openpam_subst.c

diff --git a/HISTORY b/HISTORY
index ac30f4c..c8d66ad 100644
--- a/HISTORY
+++ b/HISTORY
@@ -5,6 +5,9 @@ OpenPAM ???							2020-07-??
 
  - BUGFIX: In openpam_set_option(3), when removing an option, properly
    decrement the option count.
+
+ - BUGFIX: In openpam_subst(3), avoid incrementing past the end of the
+   template.
 ============================================================================
 OpenPAM Tabebuia						2019-02-24
 
diff --git a/lib/libpam/openpam_subst.c b/lib/libpam/openpam_subst.c
index 37ca72a..1d10d7f 100644
--- a/lib/libpam/openpam_subst.c
+++ b/lib/libpam/openpam_subst.c
@@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2011 Dag-Erling Smørgrav
+ * Copyright (c) 2011-2023 Dag-Erling Smørgrav
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -104,7 +104,8 @@ openpam_subst(const pam_handle_t *pamh,
 				subst_char('%');
 				subst_char(*template);
 			}
-			++template;
+			if (*template)
+				++template;
 		} else {
 			subst_char(*template++);
 		}
diff --git a/t/.gitignore b/t/.gitignore
index 052fc9e..0e12c81 100644
--- a/t/.gitignore
+++ b/t/.gitignore
@@ -4,4 +4,5 @@
 /t_openpam_readlinev
 /t_openpam_readword
 /t_openpam_straddch
+/t_openpam_subst
 /t_pam_env
diff --git a/t/Makefile.am b/t/Makefile.am
index 93133a2..8fe055f 100644
--- a/t/Makefile.am
+++ b/t/Makefile.am
@@ -13,6 +13,7 @@ TESTS += t_openpam_dispatch
 TESTS += t_openpam_readword
 TESTS += t_openpam_readlinev
 TESTS += t_openpam_straddch
+TESTS += t_openpam_subst
 TESTS += t_pam_env
 check_PROGRAMS = $(TESTS)
 
diff --git a/t/t_openpam_subst.c b/t/t_openpam_subst.c
new file mode 100644
index 0000000..b4fb6c3
--- /dev/null
+++ b/t/t_openpam_subst.c
@@ -0,0 +1,105 @@
+/*-
+ * Copyright (c) 2023 Dag-Erling Smørgrav
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior written
+ *    permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#include <err.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <cryb/test.h>
+
+#include <security/pam_appl.h>
+#include <security/openpam.h>
+
+#include "openpam_impl.h"
+
+#define T_FUNC(n, d)							\
+	static const char *t_ ## n ## _desc = d;			\
+	static int t_ ## n ## _func(OPENPAM_UNUSED(char **desc),	\
+	    OPENPAM_UNUSED(void *arg))
+
+#define T(n)								\
+	t_add_test(&t_ ## n ## _func, NULL, "%s", t_ ## n ## _desc)
+
+const char *pam_return_so;
+
+T_FUNC(final_percent, "template ends with %")
+{
+	char template[] = "test%\0deadbeef";
+	char buf[] = "Squeamish Ossifrage";
+	size_t bufsize = sizeof(buf);
+	int pam_err, ret;
+
+	pam_err = openpam_subst(NULL, buf, &bufsize, template);
+	ret = (pam_err == PAM_SUCCESS);
+	ret &= t_compare_sz(sizeof("test%"), bufsize);
+	ret &= t_compare_str("test%", buf);
+	return (ret);
+}
+
+
+/***************************************************************************
+ * Boilerplate
+ */
+
+static int
+t_prepare(int argc, char *argv[])
+{
+
+	(void)argc;
+	(void)argv;
+
+	if ((pam_return_so = getenv("PAM_RETURN_SO")) == NULL) {
+		t_printv("define PAM_RETURN_SO before running these tests\n");
+		return (0);
+	}
+
+	openpam_set_feature(OPENPAM_RESTRICT_MODULE_NAME, 0);
+	openpam_set_feature(OPENPAM_VERIFY_MODULE_FILE, 0);
+	openpam_set_feature(OPENPAM_RESTRICT_SERVICE_NAME, 0);
+	openpam_set_feature(OPENPAM_VERIFY_POLICY_FILE, 0);
+	openpam_set_feature(OPENPAM_FALLBACK_TO_OTHER, 0);
+
+	T(final_percent);
+
+	return (0);
+}
+
+int
+main(int argc, char *argv[])
+{
+
+	t_main(t_prepare, NULL, argc, argv);
+}