BUG/MEDIUM: auth: fix unconfigured password NULL deref

Fix a case of dereference NULL pointer when trying to use an user from
an userlist which does not have a password configured.

The check_user() function tries to do an strcmp of the password, howver
u->pass is NULL and the strcmp would crash when trying.

Must be backported in every stable branches.

diff --git a/src/auth.c b/src/auth.c
index f2380753a0eb82ca46f7fe6ecb065d95d2975b90..d82cead9c9aeda8b4c569c460cb4955faeec2a64 100644 (file)
--- a/src/auth.c
+++ b/src/auth.c
@@ -297,7 +297,7 @@ check_user(struct userlist *ul, const char *user, const char *pass)
        fprintf(stderr, ", crypt=%s\n", ((ep) ? ep : ""));
 #endif
 
-       if (ep && strcmp(ep, u->pass) == 0)
+       if (ep && u->pass && strcmp(ep, u->pass) == 0)
                return 1;
        else
                return 0;