From e8e1a6fac9878e1deb40ce0cd5d91cf9d0991463 Mon Sep 17 00:00:00 2001
From: des <des@ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f>
Date: Tue, 14 Nov 2017 10:49:07 +0000
Subject: [PATCH] MFH (r325010): don't bother verifying a password that we know
 is too long.

Reported by:	jkim@
Security:	CVE-2016-6210


git-svn-id: svn://svn.freebsd.org/base/stable/10@325802 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
---
 lib/libpam/modules/pam_unix/pam_unix.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/lib/libpam/modules/pam_unix/pam_unix.c b/lib/libpam/modules/pam_unix/pam_unix.c
index 5403d5d55..2fd3b6197 100644
--- a/lib/libpam/modules/pam_unix/pam_unix.c
+++ b/lib/libpam/modules/pam_unix/pam_unix.c
@@ -111,6 +111,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
 			if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) &&
 			    openpam_get_option(pamh, PAM_OPT_NULLOK))
 				return (PAM_SUCCESS);
+			PAM_LOG("Password is empty, using fake password");
 			realpw = "*";
 		}
 		lc = login_getpwclass(pwd);
@@ -125,6 +126,10 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
 	if (retval != PAM_SUCCESS)
 		return (retval);
 	PAM_LOG("Got password");
+	if (strnlen(pass, _PASSWORD_LEN + 1) > _PASSWORD_LEN) {
+		PAM_LOG("Password is too long, using fake password");
+		realpw = "*";
+	}
 	if (strcmp(crypt(pass, realpw), realpw) == 0)
 		return (PAM_SUCCESS);
 
-- 
2.42.0