lib/44505: pam_exec fails to realloc enough space

To: lib-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: lib/44505: pam_exec fails to realloc enough space
From: mark%ecs.vuw.ac.nz@localhost
Date: Wed, 2 Feb 2011 23:05:01 +0000 (UTC)

>Number:         44505
>Category:       lib
>Synopsis:       pam_exec fails to realloc enough space
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Feb 02 23:05:00 +0000 2011
>Originator:     Mark Davies
>Release:        NetBSD 5.99.41
>Organization:
ECS, Victoria Uni. of Wellington, New Zealand.
>Environment:
        
        
System: NetBSD city-art.ecs.vuw.ac.nz 5.99.41 NetBSD 5.99.41 
(ECS_WORKSTATION.nodrm) #0: Fri Dec 17 11:11:42 NZDT 2010 
mark%turakirae.ecs.vuw.ac.nz@localhost:/local/SAVE/cur.obj/src/work/src/sys/arch/i386/compile/ECS_WORKSTATION.nodrm
 i386
Architecture: i386
Machine: i386
>Description:
        when calculating the size to realloc the envlist its building
        multiply the number of items by the size of a char *, not a char.
        
>How-To-Repeat:
        inspection.
        
>Fix:
        Apply FreeBSD's revision 1.5.  While here also apply FreeBSD's 
        revision 1.6 -- childerr needs to be volatile so gcc won't
        optimize it away.
        

Index: pam_exec.c
===================================================================
RCS file: /src/cvs/netbsd/src/lib/libpam/modules/pam_exec/pam_exec.c,v
retrieving revision 1.4
diff -u -r1.4 pam_exec.c
--- pam_exec.c  26 Feb 2005 22:45:52 -0000      1.4
+++ pam_exec.c  2 Feb 2011 22:49:56 -0000
@@ -70,8 +70,9 @@
 _pam_exec(pam_handle_t *pamh __unused, int flags __unused,
     int argc, const char *argv[])
 {
-       int childerr, envlen, i, nitems, pam_err, status;
+       int envlen, i, nitems, pam_err, status;
        char **envlist, **tmp;
+       volatile int childerr;
        pid_t pid;
 
        if (argc < 1)
@@ -90,7 +91,7 @@
        for (envlen = 0; envlist[envlen] != NULL; ++envlen)
                /* nothing */ ;
        nitems = sizeof(env_items) / sizeof(*env_items);
-       tmp = realloc(envlist, (envlen + nitems + 1) * sizeof **envlist);
+       tmp = realloc(envlist, (envlen + nitems + 1) * sizeof(*envlist));
        if (tmp == NULL) {
                openpam_free_envlist(envlist);
                return (PAM_BUF_ERR);

>Unformatted:

Prev by Date: Re: port-i386/41267: 5.0 RC4 does not detect second CPU in VIA VT-310DP motherboard
Next by Date: kern/44506: ieee80211_match_bss matches all different SSIDs of the identical length
Previous by Thread: port-alpha/44502: eventcounters initialized too early
Next by Thread: kern/44506: ieee80211_match_bss matches all different SSIDs of the identical length
Indexes:

Home | Main Index | Thread Index | Old Index