1 files changed, 4 insertions, 4 deletions
diff --git a/loginutils/passwd.c b/loginutils/passwd.c
index 59f47fc7b..30e096460 100644
--- a/loginutils/passwd.c
+++ b/loginutils/passwd.c
@@ -43,7 +43,7 @@
 static char* new_password(const struct passwd *pw, uid_t myuid, const char *algo)
 {
        char salt[MAX_PW_SALT_LEN];
-        char *orig = (char*)"";
+        char *orig = NULL;
        char *newp = NULL;
        char *cp = NULL;
        char *ret = NULL; /* failure so far */
@@ -51,7 +51,7 @@ static char* new_password(const struct passwd *pw, uid_t myuid, const char *algo
        if (myuid != 0 && pw->pw_passwd[0]) {
                char *encrypted;
-                orig = bb_ask_noecho_stdin("Old password: "); /* returns ptr to static */
+                orig = bb_ask_noecho_stdin("Old password: "); /* returns malloced str */
                if (!orig)
                        goto err_ret;
                encrypted = pw_encrypt(orig, pw->pw_passwd, 1); /* returns malloced str */
@@ -64,11 +64,11 @@ static char* new_password(const struct passwd *pw, uid_t myuid, const char *algo
                if (ENABLE_FEATURE_CLEAN_UP)
                        free(encrypted);
        }
-        newp = bb_ask_noecho_stdin("New password: "); /* returns ptr to static */
+        newp = bb_ask_noecho_stdin("New password: "); /* returns malloced str */
        if (!newp)
                goto err_ret;
        if (ENABLE_FEATURE_PASSWD_WEAK_CHECK
-         && obscure(orig, newp, pw)
+         && obscure(orig, newp, pw) /* NB: passing NULL orig is ok */
         && myuid != 0
        ) {
                goto err_ret; /* non-root is not allowed to have weak passwd */

diff --git a/loginutils/passwd.c b/loginutils/passwd.c index 59f47fc7b..30e096460 100644 --- a/loginutils/passwd.c +++ b/loginutils/passwd.c
@@ -43,7 +43,7 @@
43	static char* new_password(const struct passwd pw, uid_t myuid, const char algo)	43	static char* new_password(const struct passwd pw, uid_t myuid, const char algo)
44	{	44	{
45	char salt[MAX_PW_SALT_LEN];	45	char salt[MAX_PW_SALT_LEN];
46	char orig = (char)"";	46	char *orig = NULL;
47	char *newp = NULL;	47	char *newp = NULL;
48	char *cp = NULL;	48	char *cp = NULL;
49	char ret = NULL; / failure so far */	49	char ret = NULL; / failure so far */
@@ -51,7 +51,7 @@ static char* new_password(const struct passwd pw, uid_t myuid, const char algo
51	if (myuid != 0 && pw->pw_passwd[0]) {	51	if (myuid != 0 && pw->pw_passwd[0]) {
52	char *encrypted;	52	char *encrypted;
53		53
54	orig = bb_ask_noecho_stdin("Old password: "); /* returns ptr to static */	54	orig = bb_ask_noecho_stdin("Old password: "); /* returns malloced str */
55	if (!orig)	55	if (!orig)
56	goto err_ret;	56	goto err_ret;
57	encrypted = pw_encrypt(orig, pw->pw_passwd, 1); /* returns malloced str */	57	encrypted = pw_encrypt(orig, pw->pw_passwd, 1); /* returns malloced str */
@@ -64,11 +64,11 @@ static char* new_password(const struct passwd pw, uid_t myuid, const char algo
64	if (ENABLE_FEATURE_CLEAN_UP)	64	if (ENABLE_FEATURE_CLEAN_UP)
65	free(encrypted);	65	free(encrypted);
66	}	66	}
67	newp = bb_ask_noecho_stdin("New password: "); /* returns ptr to static */	67	newp = bb_ask_noecho_stdin("New password: "); /* returns malloced str */
68	if (!newp)	68	if (!newp)
69	goto err_ret;	69	goto err_ret;
70	if (ENABLE_FEATURE_PASSWD_WEAK_CHECK	70	if (ENABLE_FEATURE_PASSWD_WEAK_CHECK
71	&& obscure(orig, newp, pw)	71	&& obscure(orig, newp, pw) /* NB: passing NULL orig is ok */
72	&& myuid != 0	72	&& myuid != 0
73	) {	73	) {
74	goto err_ret; /* non-root is not allowed to have weak passwd */	74	goto err_ret; /* non-root is not allowed to have weak passwd */