From 3df593099ecb4b7570548bc14ca58960f79bc9b2 Mon Sep 17 00:00:00 2001
From: Ondrej Kos <okos@redhat.com>
Date: Jul 18 2013 14:04:42 +0000
Subject: Do not try to set password when authtok_length is zero


https://fedorahosted.org/sssd/ticket/1814

When the authtok_length is zero, it shouldn't call
sss_authtok_set_password, because it tries to determine lenght of passed
string by itself and would read parts of DBus message behind boundaries
of authtok.

---

diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index ff86a13..bf9a686 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -65,8 +65,12 @@ static int extract_authtok_v2(TALLOC_CTX *mem_ctx, struct sss_auth_token *tok,
         sss_authtok_set_empty(tok);
         break;
     case SSS_AUTHTOK_TYPE_PASSWORD:
-        ret = sss_authtok_set_password(tok, (const char *)auth_token_data,
-                                       auth_token_length);
+        if (auth_token_length == 0) {
+            sss_authtok_set_empty(tok);
+        } else {
+            ret = sss_authtok_set_password(tok, (const char *)auth_token_data,
+                                           auth_token_length);
+        }
         break;
     default:
         return EINVAL;