From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Fri, 19 Dec 2025 11:33:45 +0000 (+0000)
Subject: lib/obscure.c: Fix PASS_MIN_LEN -1 case
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=deb192fe788777d3501ca4d7e5730d2102e28252;p=thirdparty%2Fshadow.git

lib/obscure.c: Fix PASS_MIN_LEN -1 case

The getdef_num implementation allows -1 to be specified in login.defs.
In general, -1 should be treated the same way as "not specified". In
this case, casting -1 to size_t leads to every password being "too
short."

Reviewed-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---

diff --git a/lib/obscure.c b/lib/obscure.c
index 2ece23308..3c723b2bf 100644
--- a/lib/obscure.c
+++ b/lib/obscure.c
@@ -116,6 +116,7 @@ static /*@observer@*//*@null@*/const char *obscure_msg (
 	/*@notnull@*/const char *new)
 {
 	size_t maxlen, oldlen, newlen;
+	int minlen;
 	char *new1, *old1;
 	const char *msg;
 	const char *result;
@@ -123,7 +124,8 @@ static /*@observer@*//*@null@*/const char *obscure_msg (
 	oldlen = strlen (old);
 	newlen = strlen (new);
 
-	if (newlen < (size_t) getdef_num ("PASS_MIN_LEN", 0)) {
+	minlen = getdef_num ("PASS_MIN_LEN", 0);
+	if (minlen != -1 && newlen < (size_t) minlen) {
 		return _("too short");
 	}