bug-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

src/server.c:check_pam_password(): Bad structure for storing peer addres


From: Petr Pisar
Subject: src/server.c:check_pam_password(): Bad structure for storing peer address
Date: Thu, 10 Mar 2011 17:45:38 +0100
User-agent: Mutt/1.5.21 (2010-09-15)

Hello,

while back-porting PAM_RHOST setting from development CVS tree, I found there
is a bug in retrieving peer address (src/server.c):

static int
check_pam_password (char **username, char *password)
{
    int retval, err;
    struct pam_conv conv = { cvs_pam_conv, 0 };
    char *pam_stage = "start";
    struct sockaddr peer;
    int len;
    char host[NI_MAXHOST];

    /* get the client's ip address */
    len = sizeof (peer);
    if (getpeername (STDIN_FILENO, &peer, &len) < 0)
    [...]
    /* convert the ip address to text */
    if (getnameinfo(&peer, len, host, NI_MAXHOST,
                NULL, 0, NI_NUMERICHOST) < 0)
    [...]
}

The `peer' variable should be type of `struct sockaddr_storage'. Also the
`len' variable should be type of `socklen_t' to conform Single UNIX
Specification.

You need then to cast the `&peer' variable to `struct sockaddr *' before
passing it to getpeername() and getnameinfo().

Current code has problem when client connects via IPv6. Its address becomes
bigger then struct sockaddr and then getpeername() writes date into
unallocated memory and getnameinfo() reads from uninitialized memory.

The problem is described in Debian bug tracking system
(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=601253#27).

-- Petr

Attachment: pgp6vvd5zGHzw.pgp
Description: PGP signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]