Bug 27154

Summary: login(1) accesses pam_getenvlist() *after* pam_end()
Product: Base System Reporter: stolz <stolz>
Component: binAssignee: freebsd-bugs (Nobody) <bugs>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 4.3-STABLE   
Hardware: Any   
OS: Any   

Description stolz 2001-05-06 14:10:01 UTC 
login(1) will call pam_end() before accessing the data obtained by
pam_getenvlist(), thus accessing stale data and free() will start complaining.
Of course the area used for storing the data has been invalidated before, as
pam_close() cleans up after itself :/

However, this seems to have gone unnoted as nobody was passing on any
changes in the environment.

Fix: 

*shrug* I´m currently wibbling around in login.c, patch might follow.
Obviously you have to copy the environment before pam_end()...
pam_misc_copy_env() and pam_misc_drop_env() should help, too.
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_modules-2.html#ss2.2
How-To-Repeat: Install /usr/ports/security/pam_ssh,
make corresponding adjustings to /etc/pam.conf, login:
login will succeed, but you will get a warning:
login in free(): warning: junk pointer, too high to make sense.
SSH-variables will remain unset.
Comment 1 stolz 2001-05-09 17:38:06 UTC 
This is fixed in the patch for PR bin/27153.
-- 
Abstrakte Syntaxträume.
Volker Stolz * stolz@i2.informatik.rwth-aachen.de * PGP + S/MIME
Comment 2 Volker Stolz 2001-07-24 09:34:08 UTC 
This PR can be closed

Resolved by bin/27153.
-- 
Abstrakte Syntaxträume.
Volker Stolz * stolz@i2.informatik.rwth-aachen.de * PGP + S/MIME
Comment 3 ru freebsd_committer freebsd_triage 2001-08-07 10:04:14 UTC 
State Changed
From-To: open->closed

Resolved by PR bin/27153.