[PATCH 1/4] pam_access: Avoid unitialized usage of line if (errno == ENOENT)
Tomas Mraz
tmraz at redhat.com
Wed Aug 13 12:44:12 UTC 2014
On St, 2014-08-13 at 14:26 +0200, Robin Hack wrote:
> ---
> modules/pam_access/pam_access.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
> index 87626e7..266e685 100644
> --- a/modules/pam_access/pam_access.c
> +++ b/modules/pam_access/pam_access.c
> @@ -341,6 +341,9 @@ login_access (pam_handle_t *pamh, struct login_info *item)
> int lineno = 0; /* for diagnostics */
> char *sptr;
>
> + /* Avoid unitialized use */
> + memset(line, 0, BUFSIZ);
> +
> if (item->debug)
> pam_syslog (pamh, LOG_DEBUG,
> "login_access: user=%s, from=%s, file=%s",
This can be solved by reordering the condition where the uninitialized
access is done:
--- a/modules/pam_access/pam_access.c
+++ b/modules/pam_access/pam_access.c
@@ -412,8 +412,8 @@ login_access (pam_handle_t *pamh, struct login_info *item)
return NO;
}
#ifdef HAVE_LIBAUDIT
- if (!item->noaudit && line[0] == '-' && (match == YES || (match == ALL &&
- nonall_match == YES))) {
+ if (!item->noaudit && (match == YES || (match == ALL &&
+ nonall_match == YES)) && line[0] == '-') {
pam_modutil_audit_write(pamh, AUDIT_ANOM_LOGIN_LOCATION,
"pam_access", 0);
}
I prefer this solution.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
(You'll never know whether the road is wrong though.)
More information about the Pam-list
mailing list