diff options
| author | Dag-Erling Smørgrav <des@FreeBSD.org> | 2017-10-26 13:23:13 +0000 |
|---|---|---|
| committer | Dag-Erling Smørgrav <des@FreeBSD.org> | 2017-10-26 13:23:13 +0000 |
| commit | 79b67c8d4a6c421a42edfd087b3ee84856e7e118 (patch) | |
| tree | 487c2b9b03aaea3f22bbf5c18e86f43b9af2e869 /lib/libpam | |
| parent | 0d73fface2cdd48cfab8a72637282cdee0807198 (diff) | |
| download | src-79b67c8d4a6c421a42edfd087b3ee84856e7e118.tar.gz src-79b67c8d4a6c421a42edfd087b3ee84856e7e118.zip | |
If the user-provided password exceeds the maximum password length, don't
bother passing it to crypt(). It won't succeed and may allow an attacker
to confirm that the user exists.
Reported by: jkim@
MFC after: 1 week
Security: CVE-2016-6210
Notes
Notes:
svn path=/head/; revision=325010
Diffstat (limited to 'lib/libpam')
| -rw-r--r-- | lib/libpam/modules/pam_unix/pam_unix.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/lib/libpam/modules/pam_unix/pam_unix.c b/lib/libpam/modules/pam_unix/pam_unix.c index 5403d5d555e2..2fd3b61970cf 100644 --- a/lib/libpam/modules/pam_unix/pam_unix.c +++ b/lib/libpam/modules/pam_unix/pam_unix.c @@ -111,6 +111,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) && openpam_get_option(pamh, PAM_OPT_NULLOK)) return (PAM_SUCCESS); + PAM_LOG("Password is empty, using fake password"); realpw = "*"; } lc = login_getpwclass(pwd); @@ -125,6 +126,10 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, if (retval != PAM_SUCCESS) return (retval); PAM_LOG("Got password"); + if (strnlen(pass, _PASSWORD_LEN + 1) > _PASSWORD_LEN) { + PAM_LOG("Password is too long, using fake password"); + realpw = "*"; + } if (strcmp(crypt(pass, realpw), realpw) == 0) return (PAM_SUCCESS); |