For full Linux-PAM compatibility, add a trailing NUL character when

passing the authentication token to the external program. Approved by: re (kib) Submitted by: Thomas Munro <munro@ip9.org> MFC after: 1 week Differential Revision: D16950
2018-09-04 10:51:41 +00:00 · 2018-09-04 10:51:41 +00:00 · e165d7bc39
commit e165d7bc39
parent ec86402ecd
2 changed files with 4 additions and 2 deletions
--- a/lib/libpam/modules/pam_exec/pam_exec.8
+++ b/lib/libpam/modules/pam_exec/pam_exec.8
@ -74,7 +74,8 @@ Ignored for compatibility reasons.
 Use the program exit status as the return code of the pam_sm_* function.
 It must be a valid return value for this function.
 .It Cm expose_authtok
-Write the authentication token to the program's standard input stream.
+Write the authentication token to the program's standard input stream,
+followed by a NUL character.
 .It Cm --
 Stop options parsing;
 program and its arguments follow.
--- a/lib/libpam/modules/pam_exec/pam_exec.c
+++ b/lib/libpam/modules/pam_exec/pam_exec.c
@ -254,7 +254,8 @@ _pam_exec(pam_handle_t *pamh,
 		}
 		rc = pam_get_authtok(pamh, PAM_AUTHTOK, &authtok, NULL);
 		if (rc == PAM_SUCCESS) {
-			authtok_size = strlen(authtok);
+			/* We include the trailing NUL-terminator. */
+			authtok_size = strlen(authtok) + 1;
 		} else {
 			openpam_log(PAM_LOG_ERROR, "%s: pam_get_authtok(): %s", func,
 						pam_strerror(pamh, rc));