ask-password: refuse empty password strv

Fixes #34270.
2026-04-14 08:25:20 +09:00 · 2024-09-06 11:19:39 +09:00
parent 03ec7311f1
commit 623a8b1922
1 changed files with 21 additions and 8 deletions
--- a/src/shared/ask-password-api.c
+++ b/src/shared/ask-password-api.c
@@ -168,7 +168,16 @@ static int ask_password_keyring(const AskPasswordRequest *req, AskPasswordFlags
        if (r < 0)
                return r;

-        return retrieve_key(serial, ret);
+        _cleanup_strv_free_erase_ char **l = NULL;
+        r = retrieve_key(serial, &l);
+        if (r < 0)
+                return r;
+
+        if (strv_isempty(l))
+                return log_debug_errno(SYNTHETIC_ERRNO(ENOKEY), "Found an empty password from keyring.");
+
+        *ret = TAKE_PTR(l);
+        return 0;
 }

 static int backspace_chars(int ttyfd, size_t p) {
@@ -323,8 +332,8 @@ int ask_password_plymouth(
                        return -ENOENT;

                } else if (IN_SET(buffer[0], 2, 9)) {
+                        _cleanup_strv_free_erase_ char **l = NULL;
                        uint32_t size;
-                        char **l;

                        /* One or more answers */
                        if (p < 5)
@@ -342,15 +351,16 @@ int ask_password_plymouth(
                        if (!l)
                                return -ENOMEM;

-                        *ret = l;
-                        break;
+                        if (strv_isempty(l))
+                                return log_debug_errno(SYNTHETIC_ERRNO(ECANCELED), "Received an empty password.");
+
+                        *ret = TAKE_PTR(l);
+                        return 0;

                } else
                        /* Unknown packet */
                        return -EIO;
        }
-
-        return 0;
 }

 #define NO_ECHO "(no echo) "
@@ -955,8 +965,8 @@ finish:

 static int ask_password_credential(const AskPasswordRequest *req, AskPasswordFlags flags, char ***ret) {
        _cleanup_(erase_and_freep) char *buffer = NULL;
+        _cleanup_strv_free_erase_ char **l = NULL;
        size_t size;
-        char **l;
        int r;

        assert(req);
@@ -971,7 +981,10 @@ static int ask_password_credential(const AskPasswordRequest *req, AskPasswordFla
        if (!l)
                return -ENOMEM;

-        *ret = l;
+        if (strv_isempty(l))
+                return log_debug_errno(SYNTHETIC_ERRNO(ENOKEY), "Found an empty password in credential.");
+
+        *ret = TAKE_PTR(l);
        return 0;
 }