[src/trunk]: src/lib/libpam/modules/pam_krb5 stop using sprintf and check for...

[christos <christos%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/d19d18f11ed5
branches:  trunk
changeset: 848735:d19d18f11ed5
user:      christos <christos%NetBSD.org@localhost>
date:      Fri Feb 07 22:13:35 2020 +0000

description:
stop using sprintf and check for buffer overflow.

diffstat:

 lib/libpam/modules/pam_krb5/pam_krb5.c |  34 +++++++++++++++++++++++++---------
 1 files changed, 25 insertions(+), 9 deletions(-)

diffs (84 lines):

diff -r 9f00224a4b05 -r d19d18f11ed5 lib/libpam/modules/pam_krb5/pam_krb5.c
--- a/lib/libpam/modules/pam_krb5/pam_krb5.c    Fri Feb 07 22:05:16 2020 +0000
+++ b/lib/libpam/modules/pam_krb5/pam_krb5.c    Fri Feb 07 22:13:35 2020 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: pam_krb5.c,v 1.26 2013/12/28 18:04:03 christos Exp $   */
+/*     $NetBSD: pam_krb5.c,v 1.27 2020/02/07 22:13:35 christos Exp $   */
 
 /*-
  * This pam_krb5 module contains code that is:
@@ -53,7 +53,7 @@
 #ifdef __FreeBSD__
 __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_krb5/pam_krb5.c,v 1.22 2005/01/24 16:49:50 rwatson Exp $");
 #else
-__RCSID("$NetBSD: pam_krb5.c,v 1.26 2013/12/28 18:04:03 christos Exp $");
+__RCSID("$NetBSD: pam_krb5.c,v 1.27 2020/02/07 22:13:35 christos Exp $");
 #endif
 
 #include <sys/types.h>
@@ -459,6 +459,7 @@
                 if (!cache_name)
                        goto cleanup3;
        } else {
+               size_t len = PATH_MAX + 16;
                /* Get the cache name */
                cache_name = openpam_get_option(pamh, PAM_OPT_CCACHE);
                if (cache_name == NULL) {
@@ -467,7 +468,7 @@
                }
 
                /* XXX potential overflow */
-               cache_name_buf2 = p = calloc(PATH_MAX + 16, sizeof(char));
+               cache_name_buf2 = p = calloc(len, sizeof(char));
                q = cache_name;
        
                if (p == NULL) {
@@ -479,27 +480,42 @@
 
                /* convert %u and %p */
                while (*q) {
+                       int l;
                        if (*q == '%') {
                                q++;
                                if (*q == 'u') {
-                                       sprintf(p, "%d", pwd->pw_uid);
-                                       p += strlen(p);
+                                       l = snprintf(p, len, "%d", pwd->pw_uid);
                                }
                                else if (*q == 'p') {
-                                       sprintf(p, "%d", getpid());
-                                       p += strlen(p);
+                                       l = snprintf(p, len, "%d", getpid());
                                }
                                else {
                                        /* Not a special token */
-                                       *p++ = '%';
+                                       if (!len)
+                                               goto truncated;
+                                       *p = '%';
+                                       l = 1;
                                        q--;
                                }
+                               if ((size_t)l > len) {
+truncated:                             PAM_LOG("string truncation failure");
+                                       retval = PAM_BUF_ERR;
+                                       goto cleanup3;
+                               }
                                q++;
                        }
                        else {
-                               *p++ = *q++;
+                               if (!len)
+                                       goto truncated;
+                               *p = *q++;
+                               l = 1;
                        }
+                       p += l;
+                       len -= (size_t)l;
                }
+               if (!len)
+                       goto truncated;
+               *p = '\0';
        }
 
        PAM_LOG("Got cache_name: %s", cache_name);