Bug 2539 - Add missing sanity check for read_passphrase() in auth-pam.c
Summary: Add missing sanity check for read_passphrase() in auth-pam.c
Status: CLOSED INVALID
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: PAM support (show other bugs)
Version: 7.1p1
Hardware: All All
: P5 major
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-02-14 08:29 AEDT by Bill Parker
Modified: 2016-08-02 10:42 AEST (History)
1 user (show)

See Also:

Attachments
Patch file for this bug report (352 bytes, application/octet-stream)
2016-02-14 08:29 AEDT, Bill Parker 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Bill Parker 2016-02-14 08:29:10 AEDT 
Created attachment 2784 [details]
Patch file for this bug report

Hello All,

	In reviewing code in OpenSSH-7.1p2, it would appear in file 'auth-pam.c',
function 'sshpam_tty_conv()', there is a call to read_passphrase() which
is not checked for a return value of NULL, indicating failure.  The patch
file below should address/correct this issue:

--- auth-pam.c.orig     2016-02-13 09:44:14.656582235 -0800
+++ auth-pam.c  2016-02-13 09:46:14.583824370 -0800
@@ -982,6 +982,8 @@
                        reply[i].resp =
                            read_passphrase(PAM_MSG_MEMBER(msg, i, msg),
                            RP_ALLOW_STDIN);
+                       if (reply[i].resp == NULL)
+                               goto fail;
                        reply[i].resp_retcode = PAM_SUCCESS;
                        break;
                case PAM_PROMPT_ECHO_ON:
				
=======================================================================

I am attaching the patch file to this bug report...

Bill Parker (wp02855 at gmail dot com)
Comment 1 Darren Tucker 2016-02-15 10:16:46 AEDT 
(In reply to Bill Parker from comment #0)
> 	In reviewing code in OpenSSH-7.1p2, it would appear in file
> 'auth-pam.c',
> function 'sshpam_tty_conv()', there is a call to read_passphrase()
> which is not checked for a return value of NULL, indicating failure.
> The patch file below should address/correct this issue:
[...]
>                         reply[i].resp =
>                             read_passphrase(PAM_MSG_MEMBER(msg, i,
> msg),
>                             RP_ALLOW_STDIN);
> +                       if (reply[i].resp == NULL)
> +                               goto fail;

Thanks, but read_passphrase() can only return NULL if given the RP_ALLOW_EOF flag which this code doesn't, so in this case it's guaranteed to be non-NULL.
Comment 2 Damien Miller 2016-08-02 10:42:38 AEST 
Close all resolved bugs after 7.3p1 release