diff options
| author |   millert <millert@openbsd.org> | 2002-10-15 17:47:27 +0000 |
|---|---|---|
| committer | millert <millert@openbsd.org> | 2002-10-15 17:47:27 +0000 |
| commit | f4f9852329fc2fcbdb4b2109286eaa7ea75ef3e2 (patch) | |
| tree | 866460e06d89965b6eb9ccbc765a9b825f17db0f /lib/libc | |
| parent | Note that when calling auth_verify() with a style and/or username, (diff) | |
| download | wireguard-openbsd-f4f9852329fc2fcbdb4b2109286eaa7ea75ef3e2.tar.xz wireguard-openbsd-f4f9852329fc2fcbdb4b2109286eaa7ea75ef3e2.zip | |
If auth_setitem() is called with the current value (ie: the pointer
is the same as the private value) then just return 0 as there is
nothing to do.
This fixes a potentially nasty problem where the caller could grab
the username or style from the auth session via auth_getitem() and
then call auth_verify() with those values. auth_setitem() would
eventually get called which would make a private copy and free the
old values in the auth session. After all this, the stashed username
and/or style pointers would point to freed memory.
Diffstat (limited to 'lib/libc')
| -rw-r--r-- | lib/libc/gen/auth_subr.c | 20 |
1 files changed, 11 insertions, 9 deletions
diff --git a/lib/libc/gen/auth_subr.c b/lib/libc/gen/auth_subr.c index 728bd588a3c..6f3769fd9a6 100644 --- a/lib/libc/gen/auth_subr.c +++ b/lib/libc/gen/auth_subr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth_subr.c,v 1.14 2002/10/15 17:10:57 millert Exp $ */ +/* $OpenBSD: auth_subr.c,v 1.15 2002/10/15 17:47:27 millert Exp $ */ /*- * Copyright (c) 1995,1996,1997 Berkeley Software Design, Inc. @@ -428,6 +428,8 @@ auth_setitem(auth_session_t *as, auth_item_t item, char *value) return (0); case AUTHV_CHALLENGE: + if (value != NULL && value == as->challenge) + return (0); if (value != NULL && (value = strdup(value)) == NULL) return (-1); if (as->challenge) @@ -436,45 +438,45 @@ auth_setitem(auth_session_t *as, auth_item_t item, char *value) return (0); case AUTHV_CLASS: + if (value != NULL && value == as->class) + return (0); if (value != NULL && (value = strdup(value)) == NULL) return (-1); - if (as->class) free(as->class); - as->class = value; return (0); case AUTHV_NAME: + if (value != NULL && value == as->name) + return (0); if (value != NULL && (value = strdup(value)) == NULL) return (-1); - if (as->name) free(as->name); - as->name = value; return (0); case AUTHV_SERVICE: + if (value != NULL && value == as->defservice) + return (0); if (value == NULL || strcmp(value, defservice) == 0) value = defservice; else if ((value = strdup(value)) == NULL) return (-1); - if (as->service && as->service != defservice) free(as->service); - as->service = value; return (0); case AUTHV_STYLE: + if (value != NULL && value == as->style) + return (0); if (value == NULL || strchr(value, '/') != NULL || (value = strdup(value)) == NULL) return (-1); - if (as->style) free(as->style); - as->style = value; return (0); |