[Bug 676] auth-pam.c trashes stack in sshpam_thread_conv() with more than one message
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Thu Sep 18 17:57:49 EST 2003
http://bugzilla.mindrot.org/show_bug.cgi?id=676
Summary: auth-pam.c trashes stack in sshpam_thread_conv() with
more than one message
Product: Portable OpenSSH
Version: 3.7p1
Platform: UltraSparc
OS/Version: Solaris
Status: NEW
Severity: security
Priority: P2
Component: PAM support
AssignedTo: openssh-bugs at mindrot.org
ReportedBy: paul.a.bolton at bt.com
If a PAM module has more than one message set in a single conversation, hence
more than one response, auth-pam.c will start trashing the stack. This was run
on Solaris 8 with patch 108993-22. This had been noticed as we were experiencing
SIGBUS faults from sshd.
The problem seems to be in sshpam_thread_conv() in that the 3rd argument (struct
pam_response **resp) is treated as a array of pointers to struct pam_response
and not a pointer to an array of struct pam_response.
This only occurs if the PAM module has more than one response.
Obviously, as the responses are from the unauthenticated user and in effect
start trampling on the stack (first to go is the msg struct) that this could be
exploitable.
Code will be attached of the change. As for whether this could be exploitable, I
haven't looked into this side of the problem sufficiently to answer this.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-bugs
mailing list