Pārlūkot izejas kodu

* Cleanse the buffer used for the temporary salted pass

Bryan Drewery 17 gadi atpakaļ
vecāks
revīzija
7473b413b6
1 mainītis faili ar 2 papildinājumiem un 3 dzēšanām
  1. 2 3
      src/userrec.c

+ 2 - 3
src/userrec.c

@@ -340,10 +340,9 @@ int u_pass_match(struct userrec *u, char *in)
 
     strlcpy(pass, in, sizeof(pass));
 
-    if (strlen(pass) > MAXPASSLEN)
-      pass[MAXPASSLEN] = 0;
     /* Pass the salted pass in so the same salt can be used */
-    char* newpass = encrypt_pass(u, pass, &cmp[1]);
+    char* newpass = encrypt_pass(u, in, &cmp[1]);
+    OPENSSL_cleanse(pass, sizeof(pass));
     if (!strcmp(cmp, newpass)) {
       free(newpass);
       return 1;