瀏覽代碼

* Don't truncate at MAXPASSLEN when comparing password to salted-sha1

Bryan Drewery 14 年之前
父節點
當前提交
674e2b72ac
共有 1 個文件被更改,包括 2 次插入3 次删除
  1. 2 3
      src/userrec.c

+ 2 - 3
src/userrec.c

@@ -343,13 +343,12 @@ int u_pass_match(struct userrec *u, const char *in)
     if (!strcmp(cmp, in))
       return 1;
   } else {
-    char pass[MAXPASSLEN + 1] = "";
-
-    strlcpy(pass, in, sizeof(pass));
+    char *pass = strdup(in), *pass_p = pass;
 
     /* Pass the salted pass in so the same salt can be used */
     int n = salted_sha1cmp(cmp, pass);
     OPENSSL_cleanse(pass, sizeof(pass));
+    free(pass_p);
     if (!n)
       return 1;
   }