From a7b9b36f8444bce35d17c5659016d2065a540e2a Mon Sep 17 00:00:00 2001
From: deraadt <deraadt@openbsd.org>
Date: Sat, 18 Sep 2021 16:45:52 +0000
Subject: [PATCH] upon length check or other failure, explicit_bzero an object,
 because it may contain a partially copied password ok tobhe

---
 sbin/iked/parse.y | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sbin/iked/parse.y b/sbin/iked/parse.y
index 533ea48d77e..fc47c89c3aa 100644
--- a/sbin/iked/parse.y
+++ b/sbin/iked/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.131 2021/05/28 18:01:39 tobhe Exp $	*/
+/*	$OpenBSD: parse.y,v 1.132 2021/09/18 16:45:52 deraadt Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -3071,6 +3071,7 @@ create_user(const char *user, const char *pass)
 	if (*pass == '\0' || (strlcpy(usr.usr_pass, pass,
 	    sizeof(usr.usr_pass)) >= sizeof(usr.usr_pass))) {
 		yyerror("invalid password");
+		explicit_bzero(&usr, sizeof usr);	/* zap partial password */
 		return (-1);
 	}
 
-- 
2.20.1