svn commit: r325010 - head/lib/libpam/modules/pam_unix

[Dag-Erling Smørgrav]

Author: des
Date: Thu Oct 26 13:23:13 2017
New Revision: 325010
URL: https://svnweb.freebsd.org/changeset/base/325010

Log:
  If the user-provided password exceeds the maximum password length, don't
  bother passing it to crypt().  It won't succeed and may allow an attacker
  to confirm that the user exists.
  
  Reported by:	jkim@
  MFC after:	1 week
  Security:	CVE-2016-6210

Modified:
  head/lib/libpam/modules/pam_unix/pam_unix.c

Modified: head/lib/libpam/modules/pam_unix/pam_unix.c
==============================================================================
--- head/lib/libpam/modules/pam_unix/pam_unix.c	Thu Oct 26 10:18:31 2017	(r325009)
+++ head/lib/libpam/modules/pam_unix/pam_unix.c	Thu Oct 26 13:23:13 2017	(r325010)
@@ -111,6 +111,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __un
 			if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) &&
 			    openpam_get_option(pamh, PAM_OPT_NULLOK))
 				return (PAM_SUCCESS);
+			PAM_LOG("Password is empty, using fake password");
 			realpw = "*";
 		}
 		lc = login_getpwclass(pwd);
@@ -125,6 +126,10 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __un
 	if (retval != PAM_SUCCESS)
 		return (retval);
 	PAM_LOG("Got password");
+	if (strnlen(pass, _PASSWORD_LEN + 1) > _PASSWORD_LEN) {
+		PAM_LOG("Password is too long, using fake password");
+		realpw = "*";
+	}
 	if (strcmp(crypt(pass, realpw), realpw) == 0)
 		return (PAM_SUCCESS);