From 54122b6b38c29e2d58d044ea579fdf2bc166030d Mon Sep 17 00:00:00 2001
From: markus <>
Date: Tue, 2 Sep 2003 16:55:32 +0000
Subject: [PATCH] fix use-after-free for expired passwds; ok deraadt, tdeval

---
 src/lib/libutil/check_expire.c | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/src/lib/libutil/check_expire.c b/src/lib/libutil/check_expire.c
index ddae3325..f1d1e438 100644
--- a/src/lib/libutil/check_expire.c
+++ b/src/lib/libutil/check_expire.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: check_expire.c,v 1.6 2002/06/09 22:18:43 fgsch Exp $	*/
+/*	$OpenBSD: check_expire.c,v 1.7 2003/09/02 16:55:32 markus Exp $	*/
 
 /*
  * Copyright (c) 1997 Berkeley Software Design, Inc. All rights reserved.
@@ -120,6 +120,8 @@ login_check_expire(back, pwd, class, lastchance)
 		}
 		if (expire < 0) {
 			if (lastchance) {
+				struct passwd *npwd;
+
 				endpwent();
 
 				/*
@@ -128,12 +130,12 @@ login_check_expire(back, pwd, class, lastchance)
 				 * This will most certainly cause any
 				 * expired password to be dead, as well.
 				 */
-				pwd = pw_dup(pwd);
-				pwd->pw_change = 1;
-				p = pwd_update(pwd);
-				memset(pwd->pw_passwd, 0,
-				    strlen(pwd->pw_passwd));
-				free(pwd);
+				npwd = pw_dup(pwd);
+				npwd->pw_change = 1;
+				p = pwd_update(npwd);
+				memset(npwd->pw_passwd, 0,
+				    strlen(npwd->pw_passwd));
+				free(npwd);
 				if (p != NULL) {
 					fprintf(back, BI_VALUE " errormsg %s",
 					    auth_mkvalue(p));