options, and new features, see the NewStuff file next to this ChangeLog.
+Exim version 4.93+fixes
+-----------------------
+This is not an official release. It is just a branch, collecting
+proposed bugfixes. Depending on your environment the fixes may be
+necessary to build and/or run Exim successfully.
+
+JH/07 Bug 2489: Fix crash in the "pam" expansion condition. It seems that the
+ PAM library frees one of the arguments given to it, despite the
+ documentation. Therefore a plain malloc must be used.
+
+
Exim version 4.93
-----------------
int sep = 0;
struct pam_response *reply;
-if (pam_arg_ended) return PAM_CONV_ERR;
+/* It seems that PAM frees reply[] */
-reply = store_get(sizeof(struct pam_response) * num_msg, FALSE);
+if ( pam_arg_ended
+ || !(reply = malloc(sizeof(struct pam_response) * num_msg)))
+ return PAM_CONV_ERR;
for (int i = 0; i < num_msg; i++)
{
{
case PAM_PROMPT_ECHO_ON:
case PAM_PROMPT_ECHO_OFF:
- arg = string_nextinlist(&pam_args, &sep, big_buffer, big_buffer_size);
- if (arg == NULL)
- {
- arg = US"";
- pam_arg_ended = TRUE;
- }
- reply[i].resp = CS string_copy_perm(arg, FALSE); /* PAM frees resp */
- reply[i].resp_retcode = PAM_SUCCESS;
- break;
+ arg = string_nextinlist(&pam_args, &sep, big_buffer, big_buffer_size);
+ if (!arg)
+ {
+ arg = US"";
+ pam_arg_ended = TRUE;
+ }
+ reply[i].resp = CS string_copy_malloc(arg); /* PAM frees resp */
+ reply[i].resp_retcode = PAM_SUCCESS;
+ break;
case PAM_TEXT_INFO: /* Just acknowledge messages */
case PAM_ERROR_MSG:
- reply[i].resp_retcode = PAM_SUCCESS;
- reply[i].resp = NULL;
- break;
+ reply[i].resp_retcode = PAM_SUCCESS;
+ reply[i].resp = NULL;
+ break;
default: /* Must be an error of some sort... */
- pam_conv_had_error = TRUE;
- return PAM_CONV_ERR;
+ free(reply);
+ pam_conv_had_error = TRUE;
+ return PAM_CONV_ERR;
}
}
projects / exim.git / commitdiff