summaryrefslogtreecommitdiff
path: root/src/plugins/auth-pam/auth-pam.c
diff options
context:
space:
mode:
authorAlberto Gonzalez Iniesta <agi@inittab.org>2016-05-10 17:40:25 +0200
committerAlberto Gonzalez Iniesta <agi@inittab.org>2016-05-10 17:40:25 +0200
commitffca24bed7a03d95585ad02278667abe75d8b272 (patch)
tree336f336401e5166e1009e24a6c8d40b97a97af89 /src/plugins/auth-pam/auth-pam.c
parent9653b1bffea4e96c1eb7c1814e8bed21fea62321 (diff)
Imported Upstream version 2.3.11upstream/2.3.11
Diffstat (limited to 'src/plugins/auth-pam/auth-pam.c')
-rw-r--r--src/plugins/auth-pam/auth-pam.c30
1 files changed, 26 insertions, 4 deletions
diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c
index 95692ab..710accc 100644
--- a/src/plugins/auth-pam/auth-pam.c
+++ b/src/plugins/auth-pam/auth-pam.c
@@ -39,6 +39,7 @@
#include <stdio.h>
#include <string.h>
#include <ctype.h>
+#include <stdbool.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
@@ -47,6 +48,7 @@
#include <fcntl.h>
#include <signal.h>
#include <syslog.h>
+#include <stdint.h>
#include <openvpn-plugin.h>
@@ -119,17 +121,37 @@ static void pam_server (int fd, const char *service, int verb, const struct name
* a pointer to the NEW string. Does not modify the input strings. Will not enter an
* infinite loop with clever 'searchfor' and 'replacewith' strings.
* Daniel Johnson - Progman2000@usa.net / djohnson@progman.us
+ *
+ * Retuns NULL when
+ * - any parameter is NULL
+ * - the worst-case result is to large ( >= SIZE_MAX)
*/
static char *
searchandreplace(const char *tosearch, const char *searchfor, const char *replacewith)
{
+ if (!tosearch || !searchfor || !replacewith) return NULL;
+
+ size_t tosearchlen = strlen(tosearch);
+ size_t replacewithlen = strlen(replacewith);
+ size_t templen = tosearchlen * replacewithlen;
+
+ if (tosearchlen == 0 || strlen(searchfor) == 0 || replacewithlen == 0) {
+ return NULL;
+ }
+
+ bool is_potential_integer_overflow = (templen == SIZE_MAX) || (templen / tosearchlen != replacewithlen);
+
+ if (is_potential_integer_overflow) {
+ return NULL;
+ }
+
+ // state: all parameters are valid
+
const char *searching=tosearch;
char *scratch;
- char temp[strlen(tosearch)*10];
- temp[0]=0;
- if (!tosearch || !searchfor || !replacewith) return 0;
- if (!strlen(tosearch) || !strlen(searchfor) || !strlen(replacewith)) return 0;
+ char temp[templen+1];
+ temp[0]=0;
scratch = strstr(searching,searchfor);
if (!scratch) return strdup(tosearch);