From 50bd0948564c64d76acebf8f6c5b4f3ef7b6b4fc Mon Sep 17 00:00:00 2001
From: Nicholas Marriott <nicm@openbsd.org>
Date: Thu, 4 Jun 2009 21:43:24 +0000
Subject: If the prompt is hidden or a password is sent with -U, zero it before
 freeing it.

---
 server-msg.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'server-msg.c')

diff --git a/server-msg.c b/server-msg.c
index cff23cd5..5eaa04db 100644
--- a/server-msg.c
+++ b/server-msg.c
@@ -278,13 +278,14 @@ server_msg_fn_unlock(struct hdr *hdr, struct client *c)
 	if (server_unlock(pass) != 0) {
 #define MSG "bad password"
 		server_write_client(c, MSG_ERROR, MSG, (sizeof MSG) - 1);
-		server_write_client(c, MSG_EXIT, NULL, 0);
-		return (0);
 #undef MSG
 	}
 
 	server_write_client(c, MSG_EXIT, NULL, 0);
 
+	memset(pass, 0, strlen(pass));
+	xfree(pass);
+
 	return (0);
 }
 
-- 
cgit