2 Errata 2023 06 27 a
Dag-Erling Smørgrav edited this page 2023-06-26 18:59:21 +00:00

Errata: Null pointer dereference in openpam_set_option()

Date:: 2023-06-27

Affects:: All releases prior to Ximenia

Description:: When removing an option, openpam_set_option() failed to decrement optc, causing subsequent calls to potentially pass a null pointer to strncmp(), resulting in a crash.

Workaround:: None.

Fix:: Upgrade to OpenPAM Ximenia. If you are unable or unwilling to upgrade, apply the following patch:

--- lib/libpam/openpam_set_option.c.orig
+++ lib/libpam/openpam_set_option.c
@@ -83,6 +83,7 @@ openpam_set_option(pam_handle_t *pamh,
                for (free(cur->optv[i]); i < cur->optc; ++i)
                        cur->optv[i] = cur->optv[i + 1];
                cur->optv[i] = NULL;
+               --cur->optc;
                RETURNC(PAM_SUCCESS);
        }
        if (asprintf(&opt, "%.*s=%s", (int)len, option, value) < 0)