pam_ssh_agent_auth / Bugs / #22 TOCTOU and NULL

#22 TOCTOU and NULL_RETURNS

Status: open

Owner: nobody

Labels: None

Priority: 5

Updated: 2016-04-01

Created: 2016-01-20

Creator: Jakub Jelen

Private: No

Coverity scan on pam_ssh_agent_auth package reported two minor bugs, that should be fixed.

First of them is NULL_RETURNS: secure_filename.c:163:4: deref_parm: Directly dereferencing parameter "pw". There is no check for return value of getpwuid() from pam_user_authorized_keys.c so the pw argument might contain NULL and the dereferencing without check is not good idea.

Second of them is TOCTOU: pam_user_key_allowed2.c:271: toctou: Calling function "execl" that uses "authorized_keys_command" after a check function. This can cause a time-of-check, time-of-use race condition.. It should be handled according to Secure Coding standards.

Let me know if you need more details, or want me to propose some patches.

Discussion

Jakub Jelen - 2016-04-01

Proposing patch for the first issue: getpwuid can return NULL and the return value should be properly checked before de-referencing.

pam_ssh_agent_auth-getpwuid-checks.patch

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

TOCTOU and NULL_RETURNS

Group

Searches

Help

#22 TOCTOU and NULL_RETURNS

Discussion