summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--src/tools/sss_seed.c36
1 files changed, 36 insertions, 0 deletions
diff --git a/src/tools/sss_seed.c b/src/tools/sss_seed.c
index bcb260a1b..9b8f69b12 100644
--- a/src/tools/sss_seed.c
+++ b/src/tools/sss_seed.c
@@ -196,6 +196,14 @@ static int seed_password_input_prompt(TALLOC_CTX *mem_ctx, char **_password)
ret = EINVAL;
goto done;
}
+
+ /* Do not allow empty passwords */
+ if (strlen(temp) == 0) {
+ ERROR("Empty passwords are not allowed.\n");
+ ret = EINVAL;
+ goto done;
+ }
+
password = talloc_strdup(tmp_ctx, temp);
if (password == NULL) {
ret = ENOMEM;
@@ -235,6 +243,8 @@ static int seed_password_input_file(TALLOC_CTX *mem_ctx,
uint8_t buf[PASS_MAX+1];
int fd = -1;
int ret = EOK;
+ int valid_i;
+ int i;
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
@@ -266,6 +276,32 @@ static int seed_password_input_file(TALLOC_CTX *mem_ctx,
close(fd);
buf[len] = '\0';
+ /* Only the first line is valid (without '\n'). */
+ for (valid_i = -1; valid_i + 1 < len; valid_i++) {
+ if (buf[valid_i + 1] == '\n') {
+ buf[valid_i + 1] = '\0';
+ break;
+ }
+ }
+
+ /* Do not allow empty passwords. */
+ if (valid_i < 0) {
+ ERROR("Empty passwords are not allowed.\n");
+ ret = EINVAL;
+ goto done;
+ }
+
+ /* valid_i is the last valid index of the password followed by \0.
+ * If characters other than \n occur int the rest of the file, it
+ * is an error. */
+ for (i = valid_i + 2; i < len; i++) {
+ if (buf[i] != '\n') {
+ ERROR("Multi-line passwords are not allowed.\n");
+ ret = EINVAL;
+ goto done;
+ }
+ }
+
password = talloc_strdup(tmp_ctx, (char *)buf);
if (password == NULL) {
ret = ENOMEM;