diff options
| author | Brian Russell <brussell@mail.eng.vyatta.net> | 2019-11-13 14:15:01 +0000 |
|---|---|---|
| committer | Brian Russell <brussell@mail.eng.vyatta.net> | 2019-11-13 14:15:01 +0000 |
| commit | 8696a1ff70bbdca3b20dc3e48fd5394fa49efa0c (patch) | |
| tree | 7adbb6a7d893836eb597f32c804ba05a78721466 /debian/patches/tac_add_attrib_pair_strlen_overflow.patch | |
| parent | db09c62ce678dc292a328f7e982dcb8773194fad (diff) | |
| download | pam_tacplus-8696a1ff70bbdca3b20dc3e48fd5394fa49efa0c.tar.gz pam_tacplus-8696a1ff70bbdca3b20dc3e48fd5394fa49efa0c.zip | |
DANOS import masterHEADdebian/1.3.9-0vyatta12danos/1908master
Diffstat (limited to 'debian/patches/tac_add_attrib_pair_strlen_overflow.patch')
| -rw-r--r-- | debian/patches/tac_add_attrib_pair_strlen_overflow.patch | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/debian/patches/tac_add_attrib_pair_strlen_overflow.patch b/debian/patches/tac_add_attrib_pair_strlen_overflow.patch new file mode 100644 index 0000000..8f7632b --- /dev/null +++ b/debian/patches/tac_add_attrib_pair_strlen_overflow.patch @@ -0,0 +1,57 @@ +--- a/libtac/include/libtac.h ++++ b/libtac/include/libtac.h +@@ -66,6 +66,8 @@ extern int logmsg __P((int, const char*, + typedef unsigned int u_int32_t; + #endif + ++#define TAC_PLUS_ATTRIB_MAX_LEN 255 ++ + struct tac_attrib { + char *attr; + u_char attr_len; +--- a/libtac/lib/attrib.c ++++ b/libtac/lib/attrib.c +@@ -29,24 +29,34 @@ void tac_add_attrib(struct tac_attrib ** + + void tac_add_attrib_pair(struct tac_attrib **attr, char *name, char sep, char *value) { + struct tac_attrib *a; +- u_char l1 = (u_char) strlen(name); +- u_char l2; ++ size_t l1 = strlen(name); ++ size_t l2; + int total_len; +- ++ ++ if (l1 > TAC_PLUS_ATTRIB_MAX_LEN-1) { /* take sep into account */ ++ TACSYSLOG((LOG_WARNING,\ ++ "%s: attribute `%s' exceeds max. %d characters, skipping",\ ++ __FUNCTION__, name, TAC_PLUS_ATTRIB_MAX_LEN-1)) ++ return; ++ } ++ ++ total_len = l1 + 1; /* "name" + "sep" */ ++ + if (value == NULL) { + l2 = 0; + } else { +- l2 = (u_char) strlen(value); ++ l2 = strlen(value); + } +- total_len = l1 + l2 + 1; /* "name" + "=" + "value" */ + +- if (total_len > 255) { ++ if (l2 > TAC_PLUS_ATTRIB_MAX_LEN-total_len) { + TACSYSLOG((LOG_WARNING,\ +- "%s: attribute `%s' total length exceeds 255 characters, skipping",\ +- __FUNCTION__, name)) ++ "%s: attribute `%s' total length exceeds %d characters, skipping",\ ++ __FUNCTION__, name, TAC_PLUS_ATTRIB_MAX_LEN)) + return; + } +- ++ ++ total_len += l2; ++ + /* initialize the list if application passed us a null pointer */ + if(*attr == NULL) { + *attr = (struct tac_attrib *) xcalloc(1, sizeof(struct tac_attrib)); |