From 820ef4f92f20eed02bee458cff35da22662a4631 Mon Sep 17 00:00:00 2001 From: "Andrew G. Morgan" Date: Mon, 26 Nov 2001 03:27:40 +0000 Subject: Relevant BUGIDs: 484252 Purpose of commit: bugfix Commit summary: --------------- pam_userdb was not paying close enough attention to password comparisons. Bug report and fix from Vladimir Pastukhov. --- CHANGELOG | 4 +++- modules/pam_userdb/pam_userdb.c | 13 ++++++++----- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 5a3d3e10..37fb76b9 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -49,8 +49,10 @@ bug report - outstanding bugs are listed here: 0.76: please submit patches for this section with actual code/doc patches! +* pam_userdb: require that all of typed password matches that in + database report and fix from Vladimir Pastukhov. (Bug 484252 - agmorgan) * pam_malloc: revived malloc debugging code, now tied to - --enable-memory-debug and added strdup() (Bug 485454 - agmorgan) + --enable-memory-debug and added strdup() support (Bug 485454 - agmorgan) * pam_tally: Nalin's fix for lastlog corruption (Bug 476985 - agmorgan) * pam_rhosts: Nalin adds support for '+hostname', and zdd fix compilation warning. (Bug 476986 - agmorgan) diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c index 8eb486cb..519ee898 100644 --- a/modules/pam_userdb/pam_userdb.c +++ b/modules/pam_userdb/pam_userdb.c @@ -138,11 +138,14 @@ static int user_lookup(const char *user, const char *pass) if (data.dptr != NULL) { int compare = 0; - /* bingo, got it */ - if (ctrl & PAM_ICASE_ARG) - compare = strncasecmp(pass, data.dptr, data.dsize); - else - compare = strncmp(pass, data.dptr, data.dsize); + + if (strlen(pass) != data.dsize) { + compare = 1; + } else if (ctrl & PAM_ICASE_ARG) { + compare = strncasecmp(data.dptr, pass, data.dsize); + } else { + compare = strncmp(data.dptr, pass, data.dsize); + } dbm_close(dbm); if (compare == 0) return 0; /* match */ -- cgit v1.2.3