X-Git-Url: http://www.average.org/gitweb/?p=pam_pcsc_cr.git;a=blobdiff_plain;f=authobj.c;h=b4a1f2be26e1f3e3a284a128a5a6ba49c2aac954;hp=ed20d4a41c0db67655fefbf0562e592032f090d4;hb=8fa876111604e494a754e452090bfdd8fccd64c6;hpb=9a483f548a0833a15dbb594eb5b48026c0eb93ae

diff --git a/authobj.c b/authobj.c
index ed20d4a..b4a1f2b 100644
--- a/authobj.c
+++ b/authobj.c
@@ -1,3 +1,26 @@
+/*
+Copyright (c) 2013 Eugene Crosser
+
+This software is provided 'as-is', without any express or implied
+warranty. In no event will the authors be held liable for any damages
+arising from the use of this software.
+
+Permission is granted to anyone to use this software for any purpose,
+including commercial applications, and to alter it and redistribute it
+freely, subject to the following restrictions:
+
+    1. The origin of this software must not be misrepresented; you must
+    not claim that you wrote the original software. If you use this
+    software in a product, an acknowledgment in the product documentation
+    would be appreciated but is not required.
+
+    2. Altered source versions must be plainly marked as such, and must
+    not be misrepresented as being the original software.
+
+    3. This notice may not be removed or altered from any source
+    distribution.
+*/
+
 #ifdef HAVE_CONFIG_H
 # include "config.h"
 #endif
@@ -103,6 +126,15 @@ make_authobj(const char *userid, const char *password, const char *nonce,
 	datasize = ((secsize + paylsize + HASHSIZE + 4 * sizeof(short) - 1) /
 			CBLKSIZE + 1) * CBLKSIZE;
 	data = alloca(datasize);
+	/* 
+	   We allocate memory rounded up to CBLKSIZE on the stack, but do not
+	   use the last bytes. Stack protectors, if enabled, fill this memory
+	   with `canary` value. Later, when encryption function is called,
+	   stack protector detects that it tries to access "uninitialized
+	   memory". Which, while technically true, is not an error. Still,
+	   let us make stack protector happy by initializing the whole area:
+	 */
+	memset(data, 0, datasize);
 	serial_init(&srl, data, datasize);
 	if (serial_put(&srl, secret, secsize) != secsize) {
 		ao.err = "authobj: serialization of secret failed";
@@ -209,6 +241,10 @@ struct _auth_obj authobj(const char *userid, const char *password,
 	struct _auth_obj new_ao = {0};
 
 	if (!secret || !secsize || !payload) {
+		if (!ablob || !blobsize) {
+			new_ao.err = "authobj: previous data not supplied";
+			return new_ao;
+		}
 		old_ao = parse_authobj(userid, password, oldnonce,
 					secret, secsize,
 					ablob, blobsize, fetch_key);