path: root/lib/libpam
diff options
authorDag-Erling Smørgrav <des@FreeBSD.org>2018-09-04 10:51:41 +0000
committerDag-Erling Smørgrav <des@FreeBSD.org>2018-09-04 10:51:41 +0000
commite165d7bc3934136f4e22d417d7f429fa4cdd87d2 (patch)
tree893af5ef9e310fbf316c605c34ee8c89f2159961 /lib/libpam
parentec86402ecd3a4a8a7bb8651914cdd913ebcd37a4 (diff)
For full Linux-PAM compatibility, add a trailing NUL character when
passing the authentication token to the external program. Approved by: re (kib) Submitted by: Thomas Munro <munro@ip9.org> MFC after: 1 week Differential Revision: D16950
Notes: svn path=/head/; revision=338453
Diffstat (limited to 'lib/libpam')
2 files changed, 4 insertions, 2 deletions
diff --git a/lib/libpam/modules/pam_exec/pam_exec.8 b/lib/libpam/modules/pam_exec/pam_exec.8
index bf8e22452435..a6836a0792c0 100644
--- a/lib/libpam/modules/pam_exec/pam_exec.8
+++ b/lib/libpam/modules/pam_exec/pam_exec.8
@@ -74,7 +74,8 @@ Ignored for compatibility reasons.
Use the program exit status as the return code of the pam_sm_* function.
It must be a valid return value for this function.
.It Cm expose_authtok
-Write the authentication token to the program's standard input stream.
+Write the authentication token to the program's standard input stream,
+followed by a NUL character.
.It Cm --
Stop options parsing;
program and its arguments follow.
diff --git a/lib/libpam/modules/pam_exec/pam_exec.c b/lib/libpam/modules/pam_exec/pam_exec.c
index 2b0e92914348..dc4a47e22c08 100644
--- a/lib/libpam/modules/pam_exec/pam_exec.c
+++ b/lib/libpam/modules/pam_exec/pam_exec.c
@@ -254,7 +254,8 @@ _pam_exec(pam_handle_t *pamh,
rc = pam_get_authtok(pamh, PAM_AUTHTOK, &authtok, NULL);
if (rc == PAM_SUCCESS) {
- authtok_size = strlen(authtok);
+ /* We include the trailing NUL-terminator. */
+ authtok_size = strlen(authtok) + 1;
} else {
openpam_log(PAM_LOG_ERROR, "%s: pam_get_authtok(): %s", func,
pam_strerror(pamh, rc));