From cbaa666d4f21988164068a38ac915f8b4f3c4da3 Mon Sep 17 00:00:00 2001 From: Sadrul Habib Chowdhury Date: Fri, 14 Sep 2012 23:40:23 -0400 Subject: Guard against NULL returns from crypt(). MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit crypt() can return NULL on an error. Make sure these nulls are handled properly instead of crashing. The fix is thanks to a patch from Lukáš Nykrýn . --- src/acls.c | 18 +++++++++++++----- src/attacher.c | 9 ++++++++- src/process.c | 6 ++++++ src/socket.c | 9 +++++++-- 4 files changed, 34 insertions(+), 8 deletions(-) diff --git a/src/acls.c b/src/acls.c index e728bb8..2f8c809 100644 --- a/src/acls.c +++ b/src/acls.c @@ -455,6 +455,16 @@ int recursive; return gp; /* *gp is NULL */ } +static int +PasswordMatches(pw, password) +const char *pw, *password; +{ + if (!*password) + return 0; + char *buf = crypt(pw, password); + return (buf && !strcmp(buf, password)); +} + /* * Returns nonzero if failed or already linked. * Both users are created on demand. @@ -544,8 +554,7 @@ char *name, *pw1, *pw2; if (pw2 && *pw2 && *pw2 != '\377') /* provided a system password */ { - if (!*pass || /* but needed none */ - strcmp(crypt(pw2, pass), pass)) + if (!PasswordMatches(pw2, pass)) { debug("System password mismatch\n"); sorry++; @@ -554,11 +563,10 @@ char *name, *pw1, *pw2; else /* no pasword provided */ if (*pass) /* but need one */ sorry++; -#endif +#endif /* CHECKLOGIN */ if (pw1 && *pw1 && *pw1 != '\377') /* provided a screen password */ { - if (!*u->u_password || /* but needed none */ - strcmp(crypt(pw1, u->u_password), u->u_password)) + if (!PasswordMatches(pw1, u->u_password)) { debug("screen password mismatch\n"); sorry++; diff --git a/src/attacher.c b/src/attacher.c index 370d594..4e496be 100644 --- a/src/attacher.c +++ b/src/attacher.c @@ -882,6 +882,12 @@ screen_builtin_lck() salt[1] = 'A' + (int)((time(0) >> 6) % 26); salt[2] = 0; pass = crypt(mypass, salt); + if (!pass) + { + fprintf(stderr, "crypt() error.\007\n"); + sleep(2); + return; + } pass = ppp->pw_passwd = SaveStr(pass); } #endif @@ -924,7 +930,8 @@ screen_builtin_lck() if (pam_error == PAM_SUCCESS) break; #else - if (!strncmp(crypt(cp1, pass), pass, strlen(pass))) + char *buf = crypt(cp1, pass); + if (buf && !strncmp(buf, pass, strlen(pass))) break; #endif debug("screen_builtin_lck: NO!!!!!\n"); diff --git a/src/process.c b/src/process.c index bdf9355..30497a3 100644 --- a/src/process.c +++ b/src/process.c @@ -6360,6 +6360,12 @@ char *data; buf = crypt(u->u_password, salt); bzero(u->u_password, strlen(u->u_password)); free((char *)u->u_password); + if (!buf) + { + Msg(0, "[ crypt() error - no secure ]"); + u->u_password = NullStr; + return; + } u->u_password = SaveStr(buf); bzero(buf, strlen(buf)); #ifdef COPY_PASTE diff --git a/src/socket.c b/src/socket.c index 8f9a315..a7755a4 100644 --- a/src/socket.c +++ b/src/socket.c @@ -1565,13 +1565,18 @@ int ilen; c = *(unsigned char *)ibuf++; if (c == '\r' || c == '\n') { + char *buf = NULL; up = D_user->u_password; pwdata->buf[l] = 0; - if (strncmp(crypt(pwdata->buf, up), up, strlen(up))) + buf = crypt(pwdata->buf, up); + if (!buf || strncmp(buf, up, strlen(up))) { /* uh oh, user failed */ bzero(pwdata->buf, sizeof(pwdata->buf)); - AddStr("\r\nPassword incorrect.\r\n"); + if (!buf) + AddStr("\r\ncrypt() failed.\r\n"); + else + AddStr("\r\nPassword incorrect.\r\n"); D_processinputdata = 0; /* otherwise freed by FreeDis */ FreeDisplay(); Msg(0, "Illegal reattach attempt from terminal %s.", pwdata->m.m_tty); -- cgit v1.2.1