Double free in authenticate - Githubissues

kravietz / pam_tacplus

TACACS+ protocol client library and PAM module in C. This PAM module support authentication, authorization (account management) and accounting (session management)performed using TACACS+ protocol designed by Cisco.

GNU Lesser General Public License v3.0

132 stars 102 forks source link

Double free in authenticate #184

Closed sbrahul closed 2 years ago

sbrahul commented 2 years ago

As part of tac_authen_read_timeout(), in line 141, the msg variable pointer is saved in re-msg https://github.com/kravietz/pam_tacplus/blob/b8e07ac27c11b86779ae9698fcafee0c89fc83f5/libtac/lib/authen_r.c#L141

The immediate next line frees this msg pointer which causes re->msg to have a dangling pointer. https://github.com/kravietz/pam_tacplus/blob/b8e07ac27c11b86779ae9698fcafee0c89fc83f5/libtac/lib/authen_r.c#L142

In the caller, which is pam_sm_authenticate(), this pointer is stored as part of arep.msg and is again freed in line 552 https://github.com/kravietz/pam_tacplus/blob/b8e07ac27c11b86779ae9698fcafee0c89fc83f5/pam_tacplus.c#L552

This causes an abort in the glibc crashes the application.

Fix would be to not free the pointer in authen_r.c:142

sbrahul commented 2 years ago

Have created a pull request for fixing the same: https://github.com/kravietz/pam_tacplus/pull/185

kravietz commented 2 years ago

@sbrahul Thank you, checking now.