Author: des Date: Thu Oct 26 13:23:13 2017 New Revision: 325010 URL: https://svnweb.freebsd.org/changeset/base/325010
Log: If the user-provided password exceeds the maximum password length, don't bother passing it to crypt(). It won't succeed and may allow an attacker to confirm that the user exists. Reported by: jkim@ MFC after: 1 week Security: CVE-2016-6210 Modified: head/lib/libpam/modules/pam_unix/pam_unix.c Modified: head/lib/libpam/modules/pam_unix/pam_unix.c ============================================================================== --- head/lib/libpam/modules/pam_unix/pam_unix.c Thu Oct 26 10:18:31 2017 (r325009) +++ head/lib/libpam/modules/pam_unix/pam_unix.c Thu Oct 26 13:23:13 2017 (r325010) @@ -111,6 +111,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __un if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) && openpam_get_option(pamh, PAM_OPT_NULLOK)) return (PAM_SUCCESS); + PAM_LOG("Password is empty, using fake password"); realpw = "*"; } lc = login_getpwclass(pwd); @@ -125,6 +126,10 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __un if (retval != PAM_SUCCESS) return (retval); PAM_LOG("Got password"); + if (strnlen(pass, _PASSWORD_LEN + 1) > _PASSWORD_LEN) { + PAM_LOG("Password is too long, using fake password"); + realpw = "*"; + } if (strcmp(crypt(pass, realpw), realpw) == 0) return (PAM_SUCCESS); _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"