From 01580dd19c0bdfa23e480caa3d197f4b1b9afa7e Mon Sep 17 00:00:00 2001 From: netliomax25-code Date: Thu, 30 Apr 2026 17:52:31 +0000 Subject: [PATCH] Fix PAM response allocation to handle invalid message count --- src/auth/passdb-pam.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/auth/passdb-pam.c b/src/auth/passdb-pam.c index a4fb7aebf17..6e11eee847e 100644 --- a/src/auth/passdb-pam.c +++ b/src/auth/passdb-pam.c @@ -113,7 +113,14 @@ pam_userpass_conv(int num_msg, pam_const struct pam_message **msg, *resp_r = NULL; - resp = calloc(num_msg, sizeof(struct pam_response)); + if (num_msg < 0 || + (size_t)num_msg > SIZE_MAX / sizeof(struct pam_response)) { + e_error(authdb_event(ctx->request), + "pam: invalid response count: %d", num_msg); + return PAM_CONV_ERR; + } + + resp = calloc((size_t)num_msg, sizeof(struct pam_response)); if (resp == NULL) i_fatal_status(FATAL_OUTOFMEM, "Out of memory");