Author: des
Date: Thu Oct 26 13:23:13 2017
New Revision: 325010
URL: https://svnweb.freebsd.org/changeset/base/325010
Log:
If the user-provided password exceeds the maximum password length, don't
bother passing it to crypt(). It won't succeed and may allow an attacker
to confirm that the user exists.
Reported by: jkim@
MFC after: 1 week
Security: CVE-2016-6210
Modified:
head/lib/libpam/modules/pam_unix/pam_unix.c
Modified: head/lib/libpam/modules/pam_unix/pam_unix.c
==============================================================================
--- head/lib/libpam/modules/pam_unix/pam_unix.c Thu Oct 26 10:18:31 2017
(r325009)
+++ head/lib/libpam/modules/pam_unix/pam_unix.c Thu Oct 26 13:23:13 2017
(r325010)
@@ -111,6 +111,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __un
if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) &&
openpam_get_option(pamh, PAM_OPT_NULLOK))
return (PAM_SUCCESS);
+ PAM_LOG("Password is empty, using fake password");
realpw = "*";
}
lc = login_getpwclass(pwd);
@@ -125,6 +126,10 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __un
if (retval != PAM_SUCCESS)
return (retval);
PAM_LOG("Got password");
+ if (strnlen(pass, _PASSWORD_LEN + 1) > _PASSWORD_LEN) {
+ PAM_LOG("Password is too long, using fake password");
+ realpw = "*";
+ }
if (strcmp(crypt(pass, realpw), realpw) == 0)
return (PAM_SUCCESS);
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
