Bug#331538: dante-server: Patch fixing broken PAM auth

Wed, 05 Oct 2005 14:48:27 -0700 

Package: dante-server
Version: 1.1.18
Followup-For: Bug #331538

I found a 'memory corruption' bug in sockd/serverconfig.c due to the 
use of memmove() with union structs. (This part of the code has just
changed between 1.1.15 and 1.1.16)

It fixed the problem.

I'll submit this patch to the dante development team.

Nicolas

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (990, 'testing'), (99, 'unstable'), (9, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-k7
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Only in dante-1.1.18/sockd: #serverconfig.c#
diff -ru dante-1.1.18.orig/sockd/serverconfig.c dante-1.1.18/sockd/serverconfig.c
--- dante-1.1.18.orig/sockd/serverconfig.c	2005-07-14 04:41:45.000000000 +0200
+++ dante-1.1.18/sockd/serverconfig.c	2005-10-05 23:09:57.000000000 +0200
@@ -932,33 +932,35 @@
 
 							switch (state->auth.method) {
 								case AUTHMETHOD_UNAME: {
-									/*
-									 * Got uname/passowrd, which is similar enough.
+
+							  		/* it's a union, make a copy first. */
+								 	const struct authmethod_uname_t uname
+								    		= state->auth.mdata.uname;
+								 	/*
 									 * Just need to copy name/password from the
 									 * uname object into the pam object.
 									 */
 
-									memmove(state->auth.mdata.pam.name,
-									state->auth.mdata.uname.name,
-									strlen(state->auth.mdata.uname.name) + 1);
-
-									memmove(state->auth.mdata.pam.password,
-									state->auth.mdata.uname.password,
-									strlen(state->auth.mdata.uname.password) + 1);
+									strcpy((char *)state->auth.mdata.pam.name,
+										(const char *)uname.name);
+								  	strcpy((char *)state->auth.mdata.pam.password,
+									 	(const char *)uname.password);      
 
 									methodischeckable = 1;
 									break;
 								}
 
 								case AUTHMETHOD_RFC931: {
+								  	/* it's a union, make a copy first. */
+								  	const struct authmethod_rfc931_t rfc931
+								    		= state->auth.mdata.rfc931;
+
 									/*
 									 * no password, but we can check for the username 
 									 * we got from ident, with an empty password.
 									 */
-
-									memmove(state->auth.mdata.pam.name,
-									state->auth.mdata.rfc931.name,
-									strlen(state->auth.mdata.rfc931.name) + 1);
+								 	strcpy((char *)state->auth.mdata.pam.name,
+									 	(const char *)rfc931.name);
 
 									*state->auth.mdata.pam.password = NUL;

Reply via email to