auth/pam: Fix double-free crash

foxcpp · foxcpp · commit cf9488205200 · 2022-03-06T16:07:59.000+03:00
conv_func may be called multiple times and should return a unique pam_response each time. Closes #272.
diff --git a/cmd/maddy-pam-helper/pam.c b/cmd/maddy-pam-helper/pam.c
@@ -1,5 +1,3 @@
-//+build libpam
-
 /*
 Maddy Mail Server - Composable all-in-one email server.
 Copyright © 2019-2022 Max Mazurov <fox.cpp@disroot.org>, Maddy Mail Server contributors
@@ -21,28 +19,33 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.
 #define _POSIX_C_SOURCE 200809L
 #include <stdio.h>
 #include <stdlib.h>
+#include <string.h>
 #include <security/pam_appl.h>
 #include "pam.h"
 
 static int conv_func(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr) {
-    *resp = (struct pam_response*)appdata_ptr;
-    return PAM_SUCCESS;
-}
-
-struct error_obj run_pam_auth(const char *username, char *password) {
-    // PAM frees pam_response for us.
     struct pam_response *reply = malloc(sizeof(struct pam_response));
     if (reply == NULL) {
-        struct error_obj ret_val;
-        ret_val.status = 2;
-        ret_val.func_name = "malloc";
-        ret_val.error_msg = "Out of memory";
-        return ret_val;
+        return PAM_CONV_ERR;
     }
-    reply->resp = password;
+
+    char* password_cpy = malloc(strlen((char*)appdata_ptr)+1);
+    if (password_cpy == NULL) {
+        return PAM_CONV_ERR;
+    }
+    memcpy(password_cpy, (char*)appdata_ptr, strlen((char*)appdata_ptr)+1);
+
+    reply->resp = password_cpy;
     reply->resp_retcode = 0;
 
-    const struct pam_conv local_conv = { conv_func, reply };
+    // PAM frees pam_response for us.
+    *resp = reply;
+
+    return PAM_SUCCESS;
+}
+
+struct error_obj run_pam_auth(const char *username, char *password) {
+    const struct pam_conv local_conv = { conv_func, password };
     pam_handle_t *local_auth = NULL;
     int status = pam_start("maddy", username, &local_conv, &local_auth);
     if (status != PAM_SUCCESS) {
diff --git a/cmd/maddy-pam-helper/pam.h b/cmd/maddy-pam-helper/pam.h
@@ -1,3 +1,21 @@
+/*
+Maddy Mail Server - Composable all-in-one email server.
+Copyright © 2019-2020 Max Mazurov <fox.cpp@disroot.org>, Maddy Mail Server contributors
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see <https://www.gnu.org/licenses/>.
+*/
+
 #pragma once
 
 struct error_obj {
diff --git a/internal/auth/pam/pam.c b/internal/auth/pam/pam.c
@@ -21,28 +21,33 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.
 #define _POSIX_C_SOURCE 200809L
 #include <stdio.h>
 #include <stdlib.h>
+#include <string.h>
 #include <security/pam_appl.h>
 #include "pam.h"
 
 static int conv_func(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr) {
-    *resp = (struct pam_response*)appdata_ptr;
-    return PAM_SUCCESS;
-}
-
-struct error_obj run_pam_auth(const char *username, char *password) {
-    // PAM frees pam_response for us.
     struct pam_response *reply = malloc(sizeof(struct pam_response));
     if (reply == NULL) {
-        struct error_obj ret_val;
-        ret_val.status = 2;
-        ret_val.func_name = "malloc";
-        ret_val.error_msg = "Out of memory";
-        return ret_val;
+        return PAM_CONV_ERR;
     }
-    reply->resp = password;
+
+    char* password_cpy = malloc(strlen((char*)appdata_ptr)+1);
+    if (password_cpy == NULL) {
+        return PAM_CONV_ERR;
+    }
+    memcpy(password_cpy, (char*)appdata_ptr, strlen((char*)appdata_ptr)+1);
+
+    reply->resp = password_cpy;
     reply->resp_retcode = 0;
 
-    const struct pam_conv local_conv = { conv_func, reply };
+    // PAM frees pam_response for us.
+    *resp = reply;
+
+    return PAM_SUCCESS;
+}
+
+struct error_obj run_pam_auth(const char *username, char *password) {
+    const struct pam_conv local_conv = { conv_func, password };
     pam_handle_t *local_auth = NULL;
     int status = pam_start("maddy", username, &local_conv, &local_auth);
     if (status != PAM_SUCCESS) {
