Hi, > userlist L1 > # user foo insecure-password foo > user foo password $apr1$Y/Oslz7K$EqwCC6SqzEn35VilLwh/V0
You can't use this kind of password-encryption format. It's only supported by the Apache Runtime Framework. Please use an encrypted password format supported by crypt(3). > gdb trace: > - https://gist.github.com/wnkz/e0ae0b0ae60080c41f04 It looks like the encrypted password is passed to crypt() as a salt, and crypt() returns NULL (setting errno to EINVAL) because it does not understand the format. Unfortunately the returned value does not seem to be checked against NULL and is passed to strcmp(), causing a NULL-pointer dereference. We could probably replace: #ifdef CONFIG_HAP_CRYPT ep = crypt(pass, u->pass); #else with: #ifdef CONFIG_HAP_CRYPT ep = crypt(pass, u->pass); if (!ep) { return 0; } #else Regards, -- Rémi
signature.asc
Description: OpenPGP digital signature
