From fac1a692731262cccd5790ca2c5d8acd8a59b211 Mon Sep 17 00:00:00 2001
From: Lukas Braun <lukas.braun@fau.de>
Date: Tue, 7 Feb 2017 14:46:58 +0100
Subject: [PATCH] pam: check received length before comparing response

---
 pam_goatherd.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/pam_goatherd.c b/pam_goatherd.c
index edf426c..6cd78a2 100644
--- a/pam_goatherd.c
+++ b/pam_goatherd.c
@@ -28,6 +28,9 @@ static const char arg_server[] = "server=";
 static const char arg_port[] = "port=";
 static const char arg_certs[] = "certs=";
 
+static const char str_ok[] = "OK\n";
+static const char str_fail[] = "FAIL\n";
+
 #define dbgp(msg) do { \
     if (cfg.debug) fprintf(stderr, "[%s:%s:%i] %s\n", __FILE__, __FUNCTION__, __LINE__, msg); \
 } while(0)
@@ -194,18 +197,19 @@ static int check_hotp(struct cfg cfg, const char *user, const char *hotp)
     }
 
     char buf[5];
-    if ((err = gnutls_record_recv(session, &buf, sizeof(buf) - 1)) < 0)
+    ssize_t recvd;
+    if ((recvd = gnutls_record_recv(session, &buf, sizeof(buf) - 1)) < 0)
     {
-        dbgp2("error in send", gnutls_strerror(err));
+        dbgp2("error in send", gnutls_strerror((int)recvd));
         err = PAM_AUTHINFO_UNAVAIL;
         goto bye;
     }
 
     // auth succeeded?
-    if (!strncmp(buf, "OK", 2)) {
+    if (recvd >= strlen(str_ok) && !strncmp(buf, str_ok, strlen(str_ok))) {
         dbgp("OK");
         err = PAM_SUCCESS;
-    } else if (!strncmp(buf, "FAIL", 4)) {
+    } else if (recvd >= strlen(str_fail) && !strncmp(buf, str_fail, strlen(str_fail))) {
         dbgp("FAIL");
         err = PAM_AUTH_ERR;
     } else {
-- 
GitLab