aboutsummaryrefslogtreecommitdiff
path: root/lib/libpam
diff options
context:
space:
mode:
authorDag-Erling Smørgrav <des@FreeBSD.org>2017-10-26 13:23:13 +0000
committerDag-Erling Smørgrav <des@FreeBSD.org>2017-10-26 13:23:13 +0000
commit79b67c8d4a6c421a42edfd087b3ee84856e7e118 (patch)
tree487c2b9b03aaea3f22bbf5c18e86f43b9af2e869 /lib/libpam
parent0d73fface2cdd48cfab8a72637282cdee0807198 (diff)
downloadsrc-79b67c8d4a6c421a42edfd087b3ee84856e7e118.tar.gz
src-79b67c8d4a6c421a42edfd087b3ee84856e7e118.zip
If the user-provided password exceeds the maximum password length, don't
bother passing it to crypt(). It won't succeed and may allow an attacker to confirm that the user exists. Reported by: jkim@ MFC after: 1 week Security: CVE-2016-6210
Notes
Notes: svn path=/head/; revision=325010
Diffstat (limited to 'lib/libpam')
-rw-r--r--lib/libpam/modules/pam_unix/pam_unix.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/lib/libpam/modules/pam_unix/pam_unix.c b/lib/libpam/modules/pam_unix/pam_unix.c
index 5403d5d555e2..2fd3b61970cf 100644
--- a/lib/libpam/modules/pam_unix/pam_unix.c
+++ b/lib/libpam/modules/pam_unix/pam_unix.c
@@ -111,6 +111,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) &&
openpam_get_option(pamh, PAM_OPT_NULLOK))
return (PAM_SUCCESS);
+ PAM_LOG("Password is empty, using fake password");
realpw = "*";
}
lc = login_getpwclass(pwd);
@@ -125,6 +126,10 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
if (retval != PAM_SUCCESS)
return (retval);
PAM_LOG("Got password");
+ if (strnlen(pass, _PASSWORD_LEN + 1) > _PASSWORD_LEN) {
+ PAM_LOG("Password is too long, using fake password");
+ realpw = "*";
+ }
if (strcmp(crypt(pass, realpw), realpw) == 0)
return (PAM_SUCCESS);