Apply the sanctioned fix for the cvs password problem from Mark D. Baushke.

2006-07-26 14:16:55 +00:00 · 2006-07-26 14:16:55 +00:00 · 3399020b04
parent 224c697f91
commit 3399020b04
3 changed files with 26 additions and 8 deletions
--- a/gnu/dist/xcvs/src/client.c
+++ b/gnu/dist/xcvs/src/client.c
@ -3935,9 +3935,8 @@ auth_server (root, lto_server, lfrom_server, verify_only, do_gssapi)
 	send_to_server(end, 0);
 	send_to_server("\012", 1);

-        /* Paranoia. */
-	memset (password, 0, strlen (password));
-	free (password);
+	free_cvs_password (password);
+	password = NULL;
 # else /* ! AUTH_CLIENT_SUPPORT */
 	error (1, 0, "INTERNAL ERROR: This client does not support pserver authentication");
 # endif /* AUTH_CLIENT_SUPPORT */
--- a/gnu/dist/xcvs/src/cvs.h
+++ b/gnu/dist/xcvs/src/cvs.h
@ -927,6 +927,7 @@ char *descramble PROTO ((char *str));

 #ifdef AUTH_CLIENT_SUPPORT
 char *get_cvs_password PROTO((void));
+void free_cvs_password PROTO((char *str));
 int get_cvs_port_number PROTO((const cvsroot_t *root));
 char *normalize_cvsroot PROTO((const cvsroot_t *root));
 #endif /* AUTH_CLIENT_SUPPORT */
--- a/gnu/dist/xcvs/src/login.c
+++ b/gnu/dist/xcvs/src/login.c
@ -566,18 +566,36 @@ login (argc, argv)
    password_entry_operation (password_entry_add, current_parsed_root,
                              typed_password);

-    memset (typed_password, 0, strlen (typed_password));
-    free (typed_password);
-
-    free (cvs_password);
+    free_cvs_password (typed_password);
    free (cvsroot_canonical);
-    cvs_password = NULL;

    return 0;
 }



+/* Free the password returned by get_cvs_password() and also free the
+ * saved cvs_password if they are different pointers. Be paranoid
+ * about the in-memory copy of the password and overwrite it with zero
+ * bytes before doing the free().
+ */
+void
+free_cvs_password (char *password)
+{
+    if (password && password != cvs_password)
+    {
+	memset (password, 0, strlen (password));
+	free (password);
+    }
+
+    if (cvs_password)
+    {
+	memset (cvs_password, 0, strlen (cvs_password));
+	free (cvs_password);
+	cvs_password = NULL;
+    }
+}
+
 /* Returns the _scrambled_ password.  The server must descramble
   before hashing and comparing.  If password file not found, or
   password not found in the file, just return NULL. */