[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_get_item() question



Oops, thanks for the pointer... I will modify that. Know anything about using the pam_get_item()?

Justin F. wrote:

{
   int retval;
   udataptr myUser = &localUser;
   myConfigPtr myConfig = &localConfig;
   char user[15];
   char *password;
   myUser->usrname=user;
   char error_msg[30];

if( ( retval = pam_get_user( pamh, &( myUser->usrname ), "PAM_test
login:" ) != PAM_SUCCESS ) ) {
strcpy( error_msg, "Could not obtain user name: " );
strcat( error_msg, myUser->usrname );



You do not feel having a fixed length array of 30b with a 28b messages and strcat'ing a username into it could cause problems? This leads you with like 1 byte usernames.




if( ( retval = pam_get_user( pamh, &( myUser->usrname ), "PAM_test
login:" ) == PAM_SUCCESS ) ) {
strcpy( error_msg, "Obtained username: " );
strcat( error_msg, myUser->usrname );




Same deal here, however you have more wiggle room.


However, I am not a pam expert, so I can't really answer your question- I just noticed those two potential overflows.

Justin F.





--
Jason Gerfen
jason gerfen scl utah edu

"And remember... If the ladies
don't find you handsome, they
should at least find you handy..."
            ~The Red Green show

_______________________________________________
Pam-list mailing list
Pam-list redhat com
https://www.redhat.com/mailman/listinfo/pam-list






_______________________________________________
Pam-list mailing list
Pam-list redhat com
https://www.redhat.com/mailman/listinfo/pam-list




--
Jason Gerfen
Student Computing
Marriott Library
801.585.9810
jason gerfen scl utah edu

"And remember... If the ladies
don't find you handsome, they
should at least find you handy..."
            ~The Red Green show


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]