|
 |
f3033d |
From 736d41089bc353ead9f758a2693776e0c22547b6 Mon Sep 17 00:00:00 2001
|
|
|
f3033d |
From: =?UTF-8?q?Michel=20D=C3=A4nzer?= <michel@daenzer.net>
|
|
|
f3033d |
Date: Tue, 20 Aug 2013 11:25:00 -0400
|
|
|
f3033d |
Subject: [PATCH] worker: Fix memory corruption error/crasher
|
|
|
f3033d |
|
|
|
f3033d |
gdm_session_worker_process_pam_message() contains this code:
|
|
|
f3033d |
|
|
|
f3033d |
*response_text = strndup (user_answer,
|
|
|
f3033d |
PAM_MAX_RESP_SIZE - 1);
|
|
|
f3033d |
(*response_text)[PAM_MAX_RESP_SIZE - 1] = '\0';
|
|
|
f3033d |
|
|
|
f3033d |
If the string pointed to by user_answer is shorter than PAM_MAX_RESP_SIZE - 1
|
|
|
f3033d |
(which will generally be the case), the second line clobbers unrelated memory.
|
|
|
f3033d |
On this powerpc laptop, that causes gdm-session-worker to crash while verifying
|
|
|
f3033d |
the password, leaving me unable to log into any user session.
|
|
|
f3033d |
|
|
|
f3033d |
strndup() already ensures that the resulting string is 0-terminated anyway, so
|
|
|
f3033d |
this commit just removes the second line.
|
|
|
f3033d |
---
|
|
|
f3033d |
daemon/gdm-session-worker.c | 1 -
|
|
|
f3033d |
1 file changed, 1 deletion(-)
|
|
|
f3033d |
|
|
|
f3033d |
diff --git a/daemon/gdm-session-worker.c b/daemon/gdm-session-worker.c
|
|
|
f3033d |
index dd58af7..f6e38a2 100644
|
|
|
f3033d |
--- a/daemon/gdm-session-worker.c
|
|
|
f3033d |
+++ b/daemon/gdm-session-worker.c
|
|
|
f3033d |
@@ -768,61 +768,60 @@ gdm_session_worker_process_pam_message (GdmSessionWorker *worker,
|
|
|
f3033d |
switch (query->msg_style) {
|
|
|
f3033d |
case PAM_PROMPT_ECHO_ON:
|
|
|
f3033d |
res = gdm_session_worker_ask_question (worker, utf8_msg, &user_answer);
|
|
|
f3033d |
break;
|
|
|
f3033d |
case PAM_PROMPT_ECHO_OFF:
|
|
|
f3033d |
res = gdm_session_worker_ask_for_secret (worker, utf8_msg, &user_answer);
|
|
|
f3033d |
break;
|
|
|
f3033d |
case PAM_TEXT_INFO:
|
|
|
f3033d |
res = gdm_session_worker_report_info (worker, utf8_msg);
|
|
|
f3033d |
break;
|
|
|
f3033d |
case PAM_ERROR_MSG:
|
|
|
f3033d |
res = gdm_session_worker_report_problem (worker, utf8_msg);
|
|
|
f3033d |
break;
|
|
|
f3033d |
default:
|
|
|
f3033d |
g_assert_not_reached ();
|
|
|
f3033d |
break;
|
|
|
f3033d |
}
|
|
|
f3033d |
|
|
|
f3033d |
if (worker->priv->timed_out) {
|
|
|
f3033d |
gdm_dbus_worker_emit_cancel_pending_query (GDM_DBUS_WORKER (worker));
|
|
|
f3033d |
worker->priv->timed_out = FALSE;
|
|
|
f3033d |
}
|
|
|
f3033d |
|
|
|
f3033d |
if (user_answer != NULL) {
|
|
|
f3033d |
/* we strndup and g_free to make sure we return malloc'd
|
|
|
f3033d |
* instead of g_malloc'd memory. PAM_MAX_RESP_SIZE includes
|
|
|
f3033d |
* the '\0' terminating character, thus the "- 1".
|
|
|
f3033d |
*/
|
|
|
f3033d |
if (res && response_text != NULL) {
|
|
|
f3033d |
*response_text = strndup (user_answer, PAM_MAX_RESP_SIZE - 1);
|
|
|
f3033d |
- (*response_text)[PAM_MAX_RESP_SIZE - 1] = '\0';
|
|
|
f3033d |
}
|
|
|
f3033d |
|
|
|
f3033d |
memset (user_answer, '\0', strlen (user_answer));
|
|
|
f3033d |
g_free (user_answer);
|
|
|
f3033d |
|
|
|
f3033d |
g_debug ("GdmSessionWorker: trying to get updated username");
|
|
|
f3033d |
|
|
|
f3033d |
res = TRUE;
|
|
|
f3033d |
}
|
|
|
f3033d |
|
|
|
f3033d |
g_free (utf8_msg);
|
|
|
f3033d |
|
|
|
f3033d |
return res;
|
|
|
f3033d |
}
|
|
|
f3033d |
|
|
|
f3033d |
static int
|
|
|
f3033d |
gdm_session_worker_pam_new_messages_handler (int number_of_messages,
|
|
|
f3033d |
const struct pam_message **messages,
|
|
|
f3033d |
struct pam_response **responses,
|
|
|
f3033d |
GdmSessionWorker *worker)
|
|
|
f3033d |
{
|
|
|
f3033d |
struct pam_response *replies;
|
|
|
f3033d |
int return_value;
|
|
|
f3033d |
int i;
|
|
|
f3033d |
|
|
|
f3033d |
g_debug ("GdmSessionWorker: %d new messages received from PAM\n", number_of_messages);
|
|
|
f3033d |
|
|
|
f3033d |
return_value = PAM_CONV_ERR;
|
|
|
f3033d |
|
|
|
f3033d |
if (number_of_messages < 0) {
|
|
|
f3033d |
--
|
|
|
f3033d |
1.8.3.1
|
|
|
f3033d |
|