fix CVE-2016-6866

This commit is contained in:
Markus Teich 2016-08-31 00:59:06 +02:00
parent b87bfa2343
commit d8bec0f6fd

10
slock.c
View file

@ -123,7 +123,7 @@ readpw(Display *dpy)
readpw(Display *dpy, const char *pws) readpw(Display *dpy, const char *pws)
#endif #endif
{ {
char buf[32], passwd[256]; char buf[32], passwd[256], *encrypted;
int num, screen; int num, screen;
unsigned int len, color; unsigned int len, color;
KeySym ksym; KeySym ksym;
@ -159,7 +159,11 @@ readpw(Display *dpy, const char *pws)
#ifdef HAVE_BSD_AUTH #ifdef HAVE_BSD_AUTH
running = !auth_userokay(getlogin(), NULL, "auth-slock", passwd); running = !auth_userokay(getlogin(), NULL, "auth-slock", passwd);
#else #else
running = !!strcmp(crypt(passwd, pws), pws); errno = 0;
if (!(encrypted = crypt(passwd, pws)))
fprintf(stderr, "slock: crypt: %s\n", strerror(errno));
else
running = !!strcmp(encrypted, pws);
#endif #endif
if (running) { if (running) {
XBell(dpy, 100); XBell(dpy, 100);
@ -312,6 +316,8 @@ main(int argc, char **argv) {
#ifndef HAVE_BSD_AUTH #ifndef HAVE_BSD_AUTH
pws = getpw(); pws = getpw();
if (strlen(pws) < 2)
die("slock: failed to get user password hash.\n");
#endif #endif
if (!(dpy = XOpenDisplay(NULL))) if (!(dpy = XOpenDisplay(NULL)))