ask-password: refuse empty password strv

Fixes #34270. (cherry picked from commit 623a8b1922bdbd2fb06bc5f2c67d3d6930efc58e) (cherry picked from commit 34881c9d5afdd05e9e6f1824cbea9d1954ea80c0) (cherry picked from commit 553d5b03bd) (cherry picked from commit abaef1ab97)
2025-01-07 17:17:44 +03:00 · 2024-09-06 11:19:39 +09:00 · 2024-09-06 11:19:39 +09:00 · 339e0b4c31
commit 339e0b4c31
parent 2fa6459cb3
1 changed files with 21 additions and 8 deletions
--- a/src/shared/ask-password-api.c
+++ b/src/shared/ask-password-api.c
@ -169,7 +169,16 @@ static int ask_password_keyring(const char *keyname, AskPasswordFlags flags, cha
                return r;
        }

-        return retrieve_key(serial, ret);
+        _cleanup_strv_free_erase_ char **l = NULL;
+        r = retrieve_key(serial, &l);
+        if (r < 0)
+                return r;
+
+        if (strv_isempty(l))
+                return log_debug_errno(SYNTHETIC_ERRNO(ENOKEY), "Found an empty password from keyring.");
+
+        *ret = TAKE_PTR(l);
+        return 0;
 }

 static int backspace_chars(int ttyfd, size_t p) {
@ -326,8 +335,8 @@ int ask_password_plymouth(
                        return -ENOENT;

                } else if (IN_SET(buffer[0], 2, 9)) {
+                        _cleanup_strv_free_erase_ char **l = NULL;
                        uint32_t size;
-                        char **l;

                        /* One or more answers */
                        if (p < 5)
@ -345,15 +354,16 @@ int ask_password_plymouth(
                        if (!l)
                                return -ENOMEM;

-                        *ret = l;
-                        break;
+                        if (strv_isempty(l))
+                                return log_debug_errno(SYNTHETIC_ERRNO(ECANCELED), "Received an empty password.");
+
+                        *ret = TAKE_PTR(l);
+                        return 0;

                } else
                        /* Unknown packet */
                        return -EIO;
        }
-
-        return 0;
 }

 #define NO_ECHO "(no echo) "
@ -948,8 +958,8 @@ finish:

 static int ask_password_credential(const char *credential_name, AskPasswordFlags flags, char ***ret) {
        _cleanup_(erase_and_freep) char *buffer = NULL;
+        _cleanup_strv_free_erase_ char **l = NULL;
        size_t size;
-        char **l;
        int r;

        assert(credential_name);
@ -963,7 +973,10 @@ static int ask_password_credential(const char *credential_name, AskPasswordFlags
        if (!l)
                return -ENOMEM;

-        *ret = l;
+        if (strv_isempty(l))
+                return log_debug_errno(SYNTHETIC_ERRNO(ENOKEY), "Found an empty password in credential.");
+
+        *ret = TAKE_PTR(l);
        return 0;
 }