From: deraadt <deraadt@openbsd.org>
Date: Sat, 18 Sep 2021 16:45:52 +0000 (+0000)
Subject: upon length check or other failure, explicit_bzero an object, because it may
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=a7b9b36f8444bce35d17c5659016d2065a540e2a;p=openbsd

upon length check or other failure, explicit_bzero an object, because it may
contain a partially copied password
ok tobhe
---

diff --git a/sbin/iked/parse.y b/sbin/iked/parse.y
index 533ea48d77e..fc47c89c3aa 100644
--- a/sbin/iked/parse.y
+++ b/sbin/iked/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.131 2021/05/28 18:01:39 tobhe Exp $	*/
+/*	$OpenBSD: parse.y,v 1.132 2021/09/18 16:45:52 deraadt Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -3071,6 +3071,7 @@ create_user(const char *user, const char *pass)
 	if (*pass == '\0' || (strlcpy(usr.usr_pass, pass,
 	    sizeof(usr.usr_pass)) >= sizeof(usr.usr_pass))) {
 		yyerror("invalid password");
+		explicit_bzero(&usr, sizeof usr);	/* zap partial password */
 		return (-1);
 	}