0003-memory-errors-CVE2012-1502.patch
3.9 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
[PATCH] Fix Double Free Corruption (CVE2012-1502)
Downloaded from:
http://pkgs.fedoraproject.org/cgit/PyPAM.git/plain/PyPAM-0.5.0-memory-errors.patch
For details, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1502
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
diff -up PyPAM-0.5.0/PAMmodule.c.memory PyPAM-0.5.0/PAMmodule.c
--- PyPAM-0.5.0/PAMmodule.c.memory 2012-05-07 17:22:54.503914026 +0200
+++ PyPAM-0.5.0/PAMmodule.c 2012-05-07 17:23:15.644381942 +0200
@@ -37,33 +37,48 @@ static void PyPAM_Err(PyPAMObject *self,
err_msg = pam_strerror(self->pamh, result);
error = Py_BuildValue("(si)", err_msg, result);
- Py_INCREF(PyPAM_Error);
PyErr_SetObject(PyPAM_Error, error);
+ Py_XDECREF(error);
}
static int PyPAM_conv(int num_msg, const struct pam_message **msg,
struct pam_response **resp, void *appdata_ptr)
{
- PyObject *args;
-
+ PyObject *args, *msgList, *respList, *item;
+ struct pam_response *response, *spr;
PyPAMObject* self = (PyPAMObject *) appdata_ptr;
+
if (self->callback == NULL)
return PAM_CONV_ERR;
Py_INCREF(self);
- PyObject* msgList = PyList_New(num_msg);
-
+ msgList = PyList_New(num_msg);
+ if (msgList == NULL) {
+ Py_DECREF(self);
+ return PAM_CONV_ERR;
+ }
+
for (int i = 0; i < num_msg; i++) {
- PyList_SetItem(msgList, i,
- Py_BuildValue("(si)", msg[i]->msg, msg[i]->msg_style));
+ item = Py_BuildValue("(si)", msg[i]->msg, msg[i]->msg_style);
+ if (item == NULL) {
+ Py_DECREF(msgList);
+ Py_DECREF(self);
+ return PAM_CONV_ERR;
+ }
+ PyList_SetItem(msgList, i, item);
}
-
+
args = Py_BuildValue("(OO)", self, msgList);
- PyObject* respList = PyEval_CallObject(self->callback, args);
+ if (args == NULL) {
+ Py_DECREF(self);
+ Py_DECREF(msgList);
+ return PAM_CONV_ERR;
+ }
+ respList = PyEval_CallObject(self->callback, args);
Py_DECREF(args);
Py_DECREF(self);
-
+
if (respList == NULL)
return PAM_CONV_ERR;
@@ -71,11 +86,15 @@ static int PyPAM_conv(int num_msg, const
Py_DECREF(respList);
return PAM_CONV_ERR;
}
-
- *resp = (struct pam_response *) malloc(
+
+ response = (struct pam_response *) malloc(
PyList_Size(respList) * sizeof(struct pam_response));
+ if (response == NULL) {
+ Py_DECREF(respList);
+ return PAM_CONV_ERR;
+ }
+ spr = response;
- struct pam_response* spr = *resp;
for (int i = 0; i < PyList_Size(respList); i++, spr++) {
PyObject* respTuple = PyList_GetItem(respList, i);
char* resp_text;
@@ -85,7 +104,7 @@ static int PyPAM_conv(int num_msg, const
free((--spr)->resp);
--i;
}
- free(*resp);
+ free(response);
Py_DECREF(respList);
return PAM_CONV_ERR;
}
@@ -95,7 +114,8 @@ static int PyPAM_conv(int num_msg, const
}
Py_DECREF(respList);
-
+ *resp = response;
+
return PAM_SUCCESS;
}
@@ -122,7 +142,11 @@ static PyObject * PyPAM_pam(PyObject *se
PyPAMObject_Type.ob_type = &PyType_Type;
p = (PyPAMObject *) PyObject_NEW(PyPAMObject, &PyPAMObject_Type);
+ if (p == NULL)
+ return NULL;
+
if ((spc = (struct pam_conv *) malloc(sizeof(struct pam_conv))) == NULL) {
+ Py_DECREF((PyObject *)p);
PyErr_SetString(PyExc_MemoryError, "out of memory");
return NULL;
}
@@ -455,9 +479,15 @@ static PyObject * PyPAM_getenvlist(PyObj
}
retval = PyList_New(0);
+ if (retval == NULL)
+ return NULL;
while ((cp = *(result++)) != NULL) {
entry = Py_BuildValue("s", cp);
+ if (entry == NULL) {
+ Py_DECREF(retval);
+ return NULL;
+ }
PyList_Append(retval, entry);
Py_DECREF(entry);
}