pam_oath: assign safe default to alwaysok config member (!8) · Merge requests · oath-toolkit / oath-toolkit

Matthias Gerstner requested to merge mgerstner/oath-toolkit:pam_oath_alwaysok into master Jul 05, 2018

The way this was before allowed for the PAM authentication to potentially succeed when the first goto done line is hit. If the undefined data behind alwaysok is non-zero (which is quite probable) this would happen.

In theory a local attacker could try to exhaust memory just enough to hit this spot and get e.g. root access.

Admin message

pam_oath: assign safe default to alwaysok config member

Merge request reports