https://github.com/OpenSMTPD/OpenSMTPD/pull/835 avoid null pointer deref if crypt(3) fails and returns null include "includes.h" so HAVE_CRYPT_H is defined and crypt.h gets included --- openbsd-compat/crypt_checkpass.c +++ openbsd-compat/crypt_checkpass.c @@ -1,5 +1,6 @@ /* OPENBSD ORIGINAL: lib/libc/crypt/cryptutil.c */ +#include "includes.h" #include #ifdef HAVE_CRYPT_H #include @@ -10,6 +11,8 @@ int crypt_checkpass(const char *pass, const char *goodhash) { + char *c; + if (goodhash == NULL) goto fail; @@ -17,7 +20,11 @@ crypt_checkpass(const char *pass, const char *goodhash) if (strlen(goodhash) == 0 && strlen(pass) == 0) return 0; - if (strcmp(crypt(pass, goodhash), goodhash) == 0) + c = crypt(pass, goodhash); + if (c == NULL) + goto fail; + + if (strcmp(c, goodhash) == 0) return 0; fail: