The problem here wasn't in returned error code, but in faultly read DBUS
message, due to condition in sss_authtok_set_string.
When password is empty, it passes 0 as length, which is misinterpreted,
and the function tries to determine the length of string by itself,
reaching over boundaries of authtok string.
trac issue: https://fedorahosted.org/sssd/ticket/1814
Patch is attached
Ondra
--
Ondrej Kos
Associate Software Engineer
Identity Management - SSSD
Red Hat Czech
From 7f7e34e3d64b2b7f3c02225ed506791106c8d8a9 Mon Sep 17 00:00:00 2001
From: Ondrej Kos <o...@redhat.com>
Date: Mon, 24 Jun 2013 16:58:23 +0200
Subject: [PATCH] Do not try to set password when authtok_length is zero
https://fedorahosted.org/sssd/ticket/1814
When the authtok_length is zero, it shouldn't call
sss_authtok_set_password, because it tries to determine lenght of passed
string by itself and would read parts of DBus message behind boundaries
of authtok.
---
src/responder/pam/pamsrv_cmd.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index ff86a13a5ac13856a65d1618056caf4657cb473a..bf9a686230e0deb39f7387ed3f51c08f97575007 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -65,8 +65,12 @@ static int extract_authtok_v2(TALLOC_CTX *mem_ctx, struct sss_auth_token *tok,
sss_authtok_set_empty(tok);
break;
case SSS_AUTHTOK_TYPE_PASSWORD:
- ret = sss_authtok_set_password(tok, (const char *)auth_token_data,
- auth_token_length);
+ if (auth_token_length == 0) {
+ sss_authtok_set_empty(tok);
+ } else {
+ ret = sss_authtok_set_password(tok, (const char *)auth_token_data,
+ auth_token_length);
+ }
break;
default:
return EINVAL;
--
1.8.1.4
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
