Do not try to set password when authtok_length is zero

https://fedorahosted.org/sssd/ticket/1814

When the authtok_length is zero, it shouldn't call
sss_authtok_set_password, because it tries to determine lenght of passed
string by itself and would read parts of DBus message behind boundaries
of authtok.

1 files changed, 6 insertions, 2 deletions

diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index ff86a13a5..bf9a68623 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -65,8 +65,12 @@ static int extract_authtok_v2(TALLOC_CTX *mem_ctx, struct sss_auth_token *tok,
         sss_authtok_set_empty(tok);
         break;
     case SSS_AUTHTOK_TYPE_PASSWORD:
-        ret = sss_authtok_set_password(tok, (const char *)auth_token_data,
-                                       auth_token_length);
+        if (auth_token_length == 0) {
+            sss_authtok_set_empty(tok);
+        } else {
+            ret = sss_authtok_set_password(tok, (const char *)auth_token_data,
+                                           auth_token_length);
+        }
         break;
     default:
         return EINVAL;