segfault in svr-authpasswd.c
Kevin Johnson
aloof.schipperke at gmail.com
Mon Apr 29 22:20:32 WST 2013
For users with locked accounts, dropbear segfaults on password
authentication. The call to crypt() with glibc 2.17 returns NULL if
the passwd field is '!'. Strcmp() segfaults on the NULL value. Here's
a patch against 2013.58 that adds a check.
--- svr-authpasswd.c.old
+++ svr-authpasswd.c
@@ -66,6 +66,12 @@
m_burn(password, passwordlen);
m_free(password);
+ if (testcrypt == NULL) {
+ dropbear_log(LOG_WARNING, "Crypt against user '%s' password
failed, rejected",
+ ses.authstate.pw_name);
+ send_msg_userauth_failure(0, 1);
+ return;
+ }
/* check for empty password */
if (passwdcrypt[0] == '\0') {
dropbear_log(LOG_WARNING, "User '%s' has blank password, rejected",
--
thx,
Kevin Johnson
More information about the Dropbear
mailing list