From cf94882052008d0a414304e0c99aecd1b57c2c9d Mon Sep 17 00:00:00 2001
From: "fox.cpp" <fox.cpp@disroot.org>
Date: Sun, 6 Mar 2022 15:55:09 +0300
Subject: [PATCH] auth/pam: Fix double-free crash

conv_func may be called multiple times and should return
a unique pam_response each time.

Closes #272.
---
 cmd/maddy-pam-helper/pam.c | 35 +++++++++++++++++++----------------
 cmd/maddy-pam-helper/pam.h | 18 ++++++++++++++++++
 internal/auth/pam/pam.c    | 33 +++++++++++++++++++--------------
 3 files changed, 56 insertions(+), 30 deletions(-)

diff --git a/cmd/maddy-pam-helper/pam.c b/cmd/maddy-pam-helper/pam.c
index 0826002..4829164 100644
--- a/cmd/maddy-pam-helper/pam.c
+++ b/cmd/maddy-pam-helper/pam.c
@@ -1,5 +1,3 @@
-//+build libpam
-
 /*
 Maddy Mail Server - Composable all-in-one email server.
 Copyright © 2019-2022 Max Mazurov <fox.cpp@disroot.org>, Maddy Mail Server contributors
@@ -21,28 +19,33 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.
 #define _POSIX_C_SOURCE 200809L
 #include <stdio.h>
 #include <stdlib.h>
+#include <string.h>
 #include <security/pam_appl.h>
 #include "pam.h"
 
 static int conv_func(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr) {
-    *resp = (struct pam_response*)appdata_ptr;
+    struct pam_response *reply = malloc(sizeof(struct pam_response));
+    if (reply == NULL) {
+        return PAM_CONV_ERR;
+    }
+
+    char* password_cpy = malloc(strlen((char*)appdata_ptr)+1);
+    if (password_cpy == NULL) {
+        return PAM_CONV_ERR;
+    }
+    memcpy(password_cpy, (char*)appdata_ptr, strlen((char*)appdata_ptr)+1);
+
+    reply->resp = password_cpy;
+    reply->resp_retcode = 0;
+
+    // PAM frees pam_response for us.
+    *resp = reply;
+
     return PAM_SUCCESS;
 }
 
 struct error_obj run_pam_auth(const char *username, char *password) {
-    // PAM frees pam_response for us.
-    struct pam_response *reply = malloc(sizeof(struct pam_response));
-    if (reply == NULL) {
-        struct error_obj ret_val;
-        ret_val.status = 2;
-        ret_val.func_name = "malloc";
-        ret_val.error_msg = "Out of memory";
-        return ret_val;
-    }
-    reply->resp = password;
-    reply->resp_retcode = 0;
-
-    const struct pam_conv local_conv = { conv_func, reply };
+    const struct pam_conv local_conv = { conv_func, password };
     pam_handle_t *local_auth = NULL;
     int status = pam_start("maddy", username, &local_conv, &local_auth);
     if (status != PAM_SUCCESS) {
diff --git a/cmd/maddy-pam-helper/pam.h b/cmd/maddy-pam-helper/pam.h
index 6df667f..e9831ecc 100644
--- a/cmd/maddy-pam-helper/pam.h
+++ b/cmd/maddy-pam-helper/pam.h
@@ -1,3 +1,21 @@
+/*
+Maddy Mail Server - Composable all-in-one email server.
+Copyright © 2019-2020 Max Mazurov <fox.cpp@disroot.org>, Maddy Mail Server contributors
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see <https://www.gnu.org/licenses/>.
+*/
+
 #pragma once
 
 struct error_obj {
diff --git a/internal/auth/pam/pam.c b/internal/auth/pam/pam.c
index 0826002..38e9942 100644
--- a/internal/auth/pam/pam.c
+++ b/internal/auth/pam/pam.c
@@ -21,28 +21,33 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.
 #define _POSIX_C_SOURCE 200809L
 #include <stdio.h>
 #include <stdlib.h>
+#include <string.h>
 #include <security/pam_appl.h>
 #include "pam.h"
 
 static int conv_func(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr) {
-    *resp = (struct pam_response*)appdata_ptr;
+    struct pam_response *reply = malloc(sizeof(struct pam_response));
+    if (reply == NULL) {
+        return PAM_CONV_ERR;
+    }
+
+    char* password_cpy = malloc(strlen((char*)appdata_ptr)+1);
+    if (password_cpy == NULL) {
+        return PAM_CONV_ERR;
+    }
+    memcpy(password_cpy, (char*)appdata_ptr, strlen((char*)appdata_ptr)+1);
+
+    reply->resp = password_cpy;
+    reply->resp_retcode = 0;
+
+    // PAM frees pam_response for us.
+    *resp = reply;
+
     return PAM_SUCCESS;
 }
 
 struct error_obj run_pam_auth(const char *username, char *password) {
-    // PAM frees pam_response for us.
-    struct pam_response *reply = malloc(sizeof(struct pam_response));
-    if (reply == NULL) {
-        struct error_obj ret_val;
-        ret_val.status = 2;
-        ret_val.func_name = "malloc";
-        ret_val.error_msg = "Out of memory";
-        return ret_val;
-    }
-    reply->resp = password;
-    reply->resp_retcode = 0;
-
-    const struct pam_conv local_conv = { conv_func, reply };
+    const struct pam_conv local_conv = { conv_func, password };
     pam_handle_t *local_auth = NULL;
     int status = pam_start("maddy", username, &local_conv, &local_auth);
     if (status != PAM_SUCCESS) {