Locking memory if we expect the prompt to be returning a password

1 files changed, 19 insertions, 2 deletions

diff --git a/src/pam-freerdp.c b/src/pam-freerdp.c
index 0e5c3fa..43b16d5 100644
--- a/src/pam-freerdp.c
+++ b/src/pam-freerdp.c
@@ -110,6 +110,18 @@ get_item (pam_handle_t * pamh, int type)
 	char * promptval = responses->resp;
 	free(responses);
 
+	/* If we didn't get anything, just move on */
+	if (promptval == NULL) {
+		return NULL;
+	}
+
+	if (type == PAM_AUTHTOK) {
+		if (mlock(promptval, strlen(promptval) + 1) != 0) {
+			free(promptval);
+			return NULL;
+		}
+	}
+
 	if (type == PAM_RHOST) {
 		char * subloc = strstr(promptval, "://");
 		if (subloc != NULL) {
@@ -146,11 +158,11 @@ get_item (pam_handle_t * pamh, int type)
 			/* We also save the password globally if we've got one */
 			if (global_password != NULL) {
 				memset(global_password, 0, strlen(global_password));
-				munlock(global_password, strlen(global_password));
+				munlock(global_password, strlen(global_password) + 1);
 				free(global_password);
 			}
 			global_password = strdup(promptval);
-			if (mlock(global_password, strlen(global_password)) != 0) {
+			if (mlock(global_password, strlen(global_password) + 1) != 0) {
 				/* Woah, can't lock it.  Can't keep it. */
 				free(global_password);
 				global_password = NULL;
@@ -159,6 +171,11 @@ get_item (pam_handle_t * pamh, int type)
 			}
 		}
 
+		if (type == PAM_AUTHTOK) {
+			memset(promptval, 0, strlen(promptval) + 1);
+			munlock(promptval, strlen(promptval) + 1);
+		}
+
 		free(promptval);
 	}