From 24d1876ed4a06bf20936714e1b1de80263b71422 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Markus=20M=C3=A4kel=C3=A4?= Date: Wed, 28 Nov 2018 00:15:57 +0200 Subject: [PATCH] Initialize memory in password hashing The authentication code did not initialize one of the buffers used to calculate the password hashes. This resulted in the use of uninitialized memory when the user provided no password. --- server/modules/authenticator/MySQLAuth/dbusers.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/modules/authenticator/MySQLAuth/dbusers.c b/server/modules/authenticator/MySQLAuth/dbusers.c index 2b5f12f61..d31bfa016 100644 --- a/server/modules/authenticator/MySQLAuth/dbusers.c +++ b/server/modules/authenticator/MySQLAuth/dbusers.c @@ -220,7 +220,7 @@ static bool check_password(const char *output, uint8_t *token, size_t token_len, /** Next, extract the SHA1 of the real password by XOR'ing it with * the output of the previous calculation */ - uint8_t step2[SHA_DIGEST_LENGTH]; + uint8_t step2[SHA_DIGEST_LENGTH] = {}; gw_str_xor(step2, token, step1, token_len); /** The phase 2 scramble needs to be copied to the shared data structure as it