sss_seed: Passwords longer then PASS_MAX not allowed.

sss_seed fails if password file specified with -p or
--password-file option contains password longer than
PASS_MAX.

Man pages inform about PASS_MAX limitation.

2 files changed, 20 insertions, 1 deletions

diff --git a/src/man/sss_seed.8.xml b/src/man/sss_seed.8.xml
index e83b610b8..39f8c026c 100644
--- a/src/man/sss_seed.8.xml
+++ b/src/man/sss_seed.8.xml
@@ -159,6 +159,18 @@
         </variablelist>
     </refsect1>
 
+    <refsect1 id='notes'>
+        <title>NOTES</title>
+        <para>
+            The length of the password (or the size of file specified with -p
+            or --password-file option) must be less than or equal to PASS_MAX
+            bytes (64 bytes on systems with no globally-defined PASS_MAX value).
+        </para>
+        <para>
+        </para>
+    </refsect1>
+
+
     <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" />
 
 </refentry>
diff --git a/src/tools/sss_seed.c b/src/tools/sss_seed.c
index 9b8f69b12..9b1471d7c 100644
--- a/src/tools/sss_seed.c
+++ b/src/tools/sss_seed.c
@@ -263,7 +263,7 @@ static int seed_password_input_file(TALLOC_CTX *mem_ctx,
     }
 
     errno = 0;
-    len = sss_atomic_read_s(fd, buf, PASS_MAX);
+    len = sss_atomic_read_s(fd, buf, PASS_MAX + 1);
     if (len == -1) {
         ret = errno;
         DEBUG(SSSDBG_MINOR_FAILURE, ("Failed to read password from file "
@@ -274,6 +274,13 @@ static int seed_password_input_file(TALLOC_CTX *mem_ctx,
     }
 
     close(fd);
+
+    if (len > PASS_MAX) {
+        ERROR("Password file too big.\n");
+        ret = EINVAL;
+        goto done;
+    }
+
     buf[len] = '\0';
 
     /* Only the first line is valid (without '\n'). */