On Wed, Dec 30, 2020 at 09:08:53AM -0700, Todd C. Miller wrote:
>[...]
> Yes, that should be checked.  In the case of login_passwd.c there
> is really no reason to use auth_mkvalue(3) at all as there is nothing
> that needs to be escaped.  I think the simplest approach is to send
> a reject message if there is a memory allocation error.
> 
>  - todd
> 
> Index: login_passwd/login_passwd.c
> ===================================================================
> RCS file: /cvs/src/libexec/login_passwd/login_passwd.c,v
> retrieving revision 1.18
> diff -u -p -u -r1.18 login_passwd.c
> --- login_passwd/login_passwd.c       15 May 2020 17:25:39 -0000      1.18
> +++ login_passwd/login_passwd.c       30 Dec 2020 16:05:30 -0000
> @@ -121,7 +121,7 @@ main(int argc, char *argv[])
>       }
>       if (wheel != NULL && strcmp(wheel, "yes") != 0) {
>               fprintf(back, BI_VALUE " errormsg %s\n",
> -                 auth_mkvalue("you are not in group wheel"));
> +                 "you are not in group wheel");
>               fprintf(back, BI_REJECT "\n");
>               exit(1);
>       }
>[...]

It could, of course, just use a fixed string rather than the "%s" format,
although the latter is certainly clear(er) and consistent.

With auth_mkvalue() not being used, I don't think it needs to include
<bsd_auth.h> any more.

Thanks,
        Ross

Reply via email to