43 lines
1.4 KiB
Diff
43 lines
1.4 KiB
Diff
Fix CVE-2020-10595:
|
|
|
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10595
|
|
|
|
Patch copied from upstream advisory:
|
|
|
|
https://seclists.org/oss-sec/2020/q1/128
|
|
|
|
diff --git a/prompting.c b/prompting.c
|
|
index e985d95..d81054f 100644
|
|
--- a/prompting.c
|
|
+++ b/prompting.c
|
|
@@ -314,26 +314,27 @@ pamk5_prompter_krb5(krb5_context context UNUSED, void *data, const char *name,
|
|
/*
|
|
* Reuse pam_prompts as a starting index and copy the data into the reply
|
|
* area of the krb5_prompt structs.
|
|
*/
|
|
pam_prompts = 0;
|
|
if (name != NULL && !args->silent)
|
|
pam_prompts++;
|
|
if (banner != NULL && !args->silent)
|
|
pam_prompts++;
|
|
for (i = 0; i < num_prompts; i++, pam_prompts++) {
|
|
- size_t len;
|
|
+ size_t len, allowed;
|
|
|
|
if (resp[pam_prompts].resp == NULL)
|
|
goto cleanup;
|
|
len = strlen(resp[pam_prompts].resp);
|
|
- if (len > prompts[i].reply->length)
|
|
+ allowed = prompts[i].reply->length;
|
|
+ if (allowed == 0 || len > allowed - 1)
|
|
goto cleanup;
|
|
|
|
/*
|
|
* The trailing nul is not included in length, but other applications
|
|
* expect it to be there. Therefore, we copy one more byte than the
|
|
* actual length of the password, but set length to just the length of
|
|
* the password.
|
|
*/
|
|
memcpy(prompts[i].reply->data, resp[pam_prompts].resp, len + 1);
|
|
prompts[i].reply->length = (unsigned int) len;
|