137 lines
3.9 KiB
Diff
137 lines
3.9 KiB
Diff
|
[PATCH] Fix Double Free Corruption (CVE2012-1502)
|
||
|
|
||
|
Downloaded from:
|
||
|
http://pkgs.fedoraproject.org/cgit/PyPAM.git/plain/PyPAM-0.5.0-memory-errors.patch
|
||
|
|
||
|
For details, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1502
|
||
|
|
||
|
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
||
|
diff -up PyPAM-0.5.0/PAMmodule.c.memory PyPAM-0.5.0/PAMmodule.c
|
||
|
--- PyPAM-0.5.0/PAMmodule.c.memory 2012-05-07 17:22:54.503914026 +0200
|
||
|
+++ PyPAM-0.5.0/PAMmodule.c 2012-05-07 17:23:15.644381942 +0200
|
||
|
@@ -37,33 +37,48 @@ static void PyPAM_Err(PyPAMObject *self,
|
||
|
|
||
|
err_msg = pam_strerror(self->pamh, result);
|
||
|
error = Py_BuildValue("(si)", err_msg, result);
|
||
|
- Py_INCREF(PyPAM_Error);
|
||
|
PyErr_SetObject(PyPAM_Error, error);
|
||
|
+ Py_XDECREF(error);
|
||
|
}
|
||
|
|
||
|
static int PyPAM_conv(int num_msg, const struct pam_message **msg,
|
||
|
struct pam_response **resp, void *appdata_ptr)
|
||
|
{
|
||
|
- PyObject *args;
|
||
|
-
|
||
|
+ PyObject *args, *msgList, *respList, *item;
|
||
|
+ struct pam_response *response, *spr;
|
||
|
PyPAMObject* self = (PyPAMObject *) appdata_ptr;
|
||
|
+
|
||
|
if (self->callback == NULL)
|
||
|
return PAM_CONV_ERR;
|
||
|
|
||
|
Py_INCREF(self);
|
||
|
|
||
|
- PyObject* msgList = PyList_New(num_msg);
|
||
|
-
|
||
|
+ msgList = PyList_New(num_msg);
|
||
|
+ if (msgList == NULL) {
|
||
|
+ Py_DECREF(self);
|
||
|
+ return PAM_CONV_ERR;
|
||
|
+ }
|
||
|
+
|
||
|
for (int i = 0; i < num_msg; i++) {
|
||
|
- PyList_SetItem(msgList, i,
|
||
|
- Py_BuildValue("(si)", msg[i]->msg, msg[i]->msg_style));
|
||
|
+ item = Py_BuildValue("(si)", msg[i]->msg, msg[i]->msg_style);
|
||
|
+ if (item == NULL) {
|
||
|
+ Py_DECREF(msgList);
|
||
|
+ Py_DECREF(self);
|
||
|
+ return PAM_CONV_ERR;
|
||
|
+ }
|
||
|
+ PyList_SetItem(msgList, i, item);
|
||
|
}
|
||
|
-
|
||
|
+
|
||
|
args = Py_BuildValue("(OO)", self, msgList);
|
||
|
- PyObject* respList = PyEval_CallObject(self->callback, args);
|
||
|
+ if (args == NULL) {
|
||
|
+ Py_DECREF(self);
|
||
|
+ Py_DECREF(msgList);
|
||
|
+ return PAM_CONV_ERR;
|
||
|
+ }
|
||
|
+ respList = PyEval_CallObject(self->callback, args);
|
||
|
Py_DECREF(args);
|
||
|
Py_DECREF(self);
|
||
|
-
|
||
|
+
|
||
|
if (respList == NULL)
|
||
|
return PAM_CONV_ERR;
|
||
|
|
||
|
@@ -71,11 +86,15 @@ static int PyPAM_conv(int num_msg, const
|
||
|
Py_DECREF(respList);
|
||
|
return PAM_CONV_ERR;
|
||
|
}
|
||
|
-
|
||
|
- *resp = (struct pam_response *) malloc(
|
||
|
+
|
||
|
+ response = (struct pam_response *) malloc(
|
||
|
PyList_Size(respList) * sizeof(struct pam_response));
|
||
|
+ if (response == NULL) {
|
||
|
+ Py_DECREF(respList);
|
||
|
+ return PAM_CONV_ERR;
|
||
|
+ }
|
||
|
+ spr = response;
|
||
|
|
||
|
- struct pam_response* spr = *resp;
|
||
|
for (int i = 0; i < PyList_Size(respList); i++, spr++) {
|
||
|
PyObject* respTuple = PyList_GetItem(respList, i);
|
||
|
char* resp_text;
|
||
|
@@ -85,7 +104,7 @@ static int PyPAM_conv(int num_msg, const
|
||
|
free((--spr)->resp);
|
||
|
--i;
|
||
|
}
|
||
|
- free(*resp);
|
||
|
+ free(response);
|
||
|
Py_DECREF(respList);
|
||
|
return PAM_CONV_ERR;
|
||
|
}
|
||
|
@@ -95,7 +114,8 @@ static int PyPAM_conv(int num_msg, const
|
||
|
}
|
||
|
|
||
|
Py_DECREF(respList);
|
||
|
-
|
||
|
+ *resp = response;
|
||
|
+
|
||
|
return PAM_SUCCESS;
|
||
|
}
|
||
|
|
||
|
@@ -122,7 +142,11 @@ static PyObject * PyPAM_pam(PyObject *se
|
||
|
PyPAMObject_Type.ob_type = &PyType_Type;
|
||
|
p = (PyPAMObject *) PyObject_NEW(PyPAMObject, &PyPAMObject_Type);
|
||
|
|
||
|
+ if (p == NULL)
|
||
|
+ return NULL;
|
||
|
+
|
||
|
if ((spc = (struct pam_conv *) malloc(sizeof(struct pam_conv))) == NULL) {
|
||
|
+ Py_DECREF((PyObject *)p);
|
||
|
PyErr_SetString(PyExc_MemoryError, "out of memory");
|
||
|
return NULL;
|
||
|
}
|
||
|
@@ -455,9 +479,15 @@ static PyObject * PyPAM_getenvlist(PyObj
|
||
|
}
|
||
|
|
||
|
retval = PyList_New(0);
|
||
|
+ if (retval == NULL)
|
||
|
+ return NULL;
|
||
|
|
||
|
while ((cp = *(result++)) != NULL) {
|
||
|
entry = Py_BuildValue("s", cp);
|
||
|
+ if (entry == NULL) {
|
||
|
+ Py_DECREF(retval);
|
||
|
+ return NULL;
|
||
|
+ }
|
||
|
PyList_Append(retval, entry);
|
||
|
Py_DECREF(entry);
|
||
|
}
|